On Wed, May 14, 2008 at 09:41:43AM +0200, Gabriel Linder wrote:
> On Tue, 13 May 2008 11:14:59 -0500
> Sean Malloy <[EMAIL PROTECTED]> wrote:
>
> > On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
> > > I guess everyone by now has heard about the very serious libssl
> > > vulnerability on Debian/Ubuntu?
> > >
> > > Just making sure that the source is safe, thanks.
> > >
> > > /juan
> >
> > Here is a quote from the official Debian Security announcement,
> > DSA-1571 http://www.debian.org/security/2008/dsa-1571.
> >
> > "This is a Debian-specific vulnerability which does not affect other
> > operating systems which are not based on Debian. However, other
> > systems can be indirectly affected if weak keys are imported into
> > them."
> >
>
> Just wondering... If someone generates ssh keys with flags J or Z
> set in malloc.conf(5), aren't these keys useless too (since feeding
> predictable data is more or less equal to not feeding data at all) ?
We're talking about stack data here, not heap, and besides, the
uninited data is only an extra source of entropy. The faulty Debian
diff removed almost all seeding from the PRNG. That was the acutal
error.
-Otto
