Mario 'BitKoenig' Holbe <[EMAIL PROTECTED]> wrote:
> ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally
^
openssl's, of course.
regards
Mario
--
The social dynamics of the net are a direct consequence of the fact that
nobody has yet d
On Wed, May 14, 2008 at 11:09 AM, Hr. Philip Rueegsegger <[EMAIL PROTECTED]>
wrote:
> How can I check if a rsa key created by 'openssl genrsa ...' and its x509
> certificate is vulnerable ? The utility ssh-vulnkey seems to only check ssh
> keys. Thanks in advance !
>
What CVE IDs does this apply
Micah Anderson un jour écrivit:
* Simon Valiquette <[EMAIL PROTECTED]> [2008-05-14 16:36-0400]:
In other words, if a vulnerable key have been involved, and if someone
was able to intercept and save the encrypted data, he/she can now
decipher It, whether It is passwords, ssh sessions, secur
On Wed, 14 May 2008, Florian Weimer wrote:
> > I agree it would be neat if someone with a powerful machine could
> > generate all possible keys. I don't know how long that would take
> > however...
>
> It's not so much a time issue, is a question of storage (or getting that
> data to the OpenSSH
On Wed, 14 May 2008, Micah Anderson wrote:
> authenticity of the server. In other words, ssh sessions are not
> compromised just because an adversary has the host keys (unless a MITM
> is setup, in which case you need bot the host key and the authentication
> key to perform a mitm attack).
Ok. Bu
Hi,
Mario 'BitKoenig' Holbe wrote:
Kurt Roeckx <[EMAIL PROTECTED]> wrote:
So my question is, does either the ssh client or server use openssl
to generate the random number used to sign?
Yes, they both do.
ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally
goes down to ssleay
* Simon Valiquette <[EMAIL PROTECTED]> [2008-05-14 16:36-0400]:
>
>> Affected keys include SSH keys [...] and session keys used
> > in SSL/TLS connections.
>
> It seems that people are insisting quite a lot on the bad keys, but
> what worry me a lot more is that, apparently and very logically,
On Wed, 14 May 2008, Alexandre Dulaunoy wrote:
> Hi,
>
> For my understanding, the black list in the dowkd.pl is generated
> from the potential remaining entropy source which seems to be
> only the PID value added in the pool.
>
> Could we have some false negative[1] when running the dowkd scrip
On Wed, 14 May 2008, Sam Morris wrote:
>
> Not quite... "Once the update is applied, weak user keys will be
> automatically rejected where possible (though they cannot be detected in
> all cases)."
>
> I agree it would be neat if someone with a powerful machine could
> generate all possible k
Affected keys include SSH keys [...] and session keys used
> in SSL/TLS connections.
It seems that people are insisting quite a lot on the bad keys, but
what worry me a lot more is that, apparently and very logically, past ssh
connections and any SSL session keys are to be considered compr
Kurt Roeckx <[EMAIL PROTECTED]> wrote:
> So my question is, does either the ssh client or server use openssl to
> generate the random number used to sign?
Yes, they both do.
ssh-dss.c:ssh_dss_sign() calls openssh's DSA_do_sign() which finally
goes down to ssleay_rand_add() (via dsa_sign_setup()->B
On Wed, May 14, 2008 at 07:33:43PM +0200, Jan Luehr wrote:
> >To check all your own keys, assuming they are in the standard
> >locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):
> >
> > ssh-vulnkey
>
> I took a look at it and found two large blacklist containing lots of key
There seems to be some confusion going around about the effect of the
openssl issue on dsa keys.
>From what I understand, when using a DSA key and the random number used
to generate a signature is known, predictable, or used twice the private
key can be calculated.
So it seem to me that if a DSA
On Wed, May 14, 2008 at 10:39:10AM -0700, Harry Edmon wrote:
> Are there any plans to issue the same openssl/openssh security fixes for
> lenny has have been done for etch?
OpenSSL has already been fixed in lenny. The openssh package containing
ssh-vulkey should hit testing tomorrow at the lates
Are there any plans to issue the same openssl/openssh security fixes for
lenny has have been done for etch?
--
Dr. Harry Edmon E-MAIL: [EMAIL PROTECTED]
206-543-0547[EMAIL PROTECTED]
Dept of Atmospheric SciencesFAX:206-543-0308
Universi
Hello,
Am Mittwoch, 14. Mai 2008 schrieb Florian Weimer:
> Package: openssh
> Vulnerability : predictable random number generator
> Problem type : remote
> Debian-specific: yes
> CVE Id(s) : CVE-2008-0166
>
> The recently announced vulnerability in Debian's openssl package
> (DSA-
* Sam Morris:
> I agree it would be neat if someone with a powerful machine could
> generate all possible keys. I don't know how long that would take
> however...
It's not so much a time issue, is a question of storage (or getting that
data to the OpenSSH server). A networked service would be
How can I check if a rsa key created by 'openssl genrsa ...' and its x509
certificate is vulnerable ? The utility ssh-vulnkey seems to only check ssh
keys. Thanks in advance !
Cheers,
Philip
--
System Engineer Unix
B | SOURCE
Phone +41 44 712 65 14
Mobil
On Mittwoch, 14. Mai 2008, Nicolas Rachinsky wrote:
> Does this affect other protocols? ssl/ipsec/openvpn (with
> certificates)
IPSec: yes, most probably. To be sure when using open/strongswan, run
rm /etc/ipsec.d/private/`hostname`Key.pem /etc/ipsec.d/certs/`hostname`Cert.pem
dpkg-reconfigure (
Hallo,
http://wiki.debian.org/SSLkeys
says
| Additionally, some DSA keys may be compromised in the following situations:
...
| * key generated with good openssl and used to ssh from a machine with bad ssl
= bad
Are really only DSA keys affected (i.e., RSA key generated with good
openssl and used
Hi,
For my understanding, the black list in the dowkd.pl is generated
from the potential remaining entropy source which seems to be
only the PID value added in the pool.
Could we have some false negative[1] when running the dowkd script ?
and would it possible to have the source code of the "blac
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 2008-05-14 12:53, Hideki Yamane wrote:
> And if we would get it via package, when dowkd.pl is updated we can know
> about it automatically (with apt-get :-)
I guess ssh-vulnkey from the updated openssh packages might do what you
ask for.
HTH,
Jo
Hi,
> I expect thats what the dowkd.pl.gz.asc file is for. (see
> http://wiki.debian.org/SSLkeys under "Testing keys using dowkd.pl")
Yes, but all of users will do so? (I hope, but many of them will do that
without checking, I think. They hear about this issue via /. or someone's
blog or so, a
On Wed, May 14, 2008 at 12:17:14PM +0200, Jan Luehr wrote:
> > 1. Install the security updates
> >
> >This update contains a dependency on the openssl update and will
> >automatically install a corrected version of the libss0.9.8 package,
> >and a new package openssh-blacklist.
> >
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wolf Tony wrote:
| Hi,
|
| you only need to do
|
| aptitude install openssh-server
|
| or
|
| apt-get install openssh-server
|
| Best regards
|
| Tony Wolf
|
That worked fine.
Thank you.
Kind regards
- --
José Santos
[EMAIL PROTECTED]
-BEGIN PGP
Hi,
you only need to do
aptitude install openssh-server
or
apt-get install openssh-server
Best regards
Tony Wolf
-Ursprüngliche Nachricht-
Von: Alvise Belotti [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 14. Mai 2008 12:20
An: José Santos
Cc: debian-security@lists.debian.org
Betre
Hello,
Am Mittwoch, 14. Mai 2008 schrieb Florian Weimer:
> Package: openssh
> Vulnerability : predictable random number generator
> Problem type : remote
> Debian-specific: yes
> CVE Id(s) : CVE-2008-0166
> 1. Install the security updates
>
>This update contains a dependency o
Il 14 May 2008, alle 11:02, José Santos ha scritto:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
>
> Florian Weimer wrote:
> |
> | Debian Security Advisory DSA-1576-1 [EMAIL PROTECTED]
> | http://w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Florian Weimer wrote:
|
| Debian Security Advisory DSA-1576-1 [EMAIL PROTECTED]
| http://www.debian.org/security/ Florian Weimer
| Ma
Am Mittwoch, den 14.05.2008, 09:35 +0200 schrieb Rene Mayrhofer:
> rm /etc/ssh/ssh_host_*
> dpkg-reconfigure openssh-server
> /etc/init.d/ssh restart
FWIW, the dpkg-reconfigure openssh-server does the restart implicitly,
you don't need to explicitly do a restart afterwards, again.
> Who is curre
On Wed, 14 May 2008 07:59:58 +0200, Yves-Alexis Perez wrote:
> On mar, 2008-05-13 at 23:39 -0300, Henrique de Moraes Holschuh wrote:
>>
>> It is probably worth a lot of effort to fully map the entire set of
>> keys
>> the broken openssl could generate, and find a very fast way to check if
>> a ke
On Dienstag, 13. Mai 2008, Vincent Bernat wrote:
> - As a maintainer of a package that have generated certificates using
>OpenSSL, how should we handle the issue?
I'm in the same situation (maintaining openswan and strongswan, and both
packages may automatically create X.509 certificates in
32 matches
Mail list logo