On Fri, May 16, 2008 at 11:57:16AM +0200, Michael Schwartzkopff wrote: > thanks for the explanation. I understood that my system still creates > comprimised keys. I did a full apt-get update and apt-get upgrade. After > thank I installed ssh with > apt-get install openssh-server openssh-client > > When I create a new host key with > ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key > > this key is also compromised. I checked it. So why is that, although I have: > xen00:~# dpkg -l libssl0.9.8 > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > uppercase=bad) > ||/ Name Version Description > +++-==============-==============-============================================ > ii libssl0.9.8 0.9.8g-1 SSL shared libraries
I don't know how you managed it (given that openssh-server depends on a good enough version; perhaps you have it on hold or something?), but that version of libssl0.9.8 is absolutely vulnerable. You need to upgrade to 0.9.8g-9 or newer. Cheers, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
