Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Rene Mayrhofer
Dear Thijs, On Mittwoch, 14. Mai 2008, Thijs Kinkhorst wrote: > > I also don't think it's > > reasonable for all packages that somehow use(d) openssl to create keys to > > do their own security fix as openssh-server did (for openssh, I think > > that's a good thing because it's the primary entry p

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Thijs Kinkhorst
On Wednesday 14 May 2008 12:50, Rene Mayrhofer wrote: > What's the current status concerning an automated "fixer" package that > would do all the work of re-created the keys like the openssh-server > package currently does? I don't think it's reasonable to just distribute > the fixed openssl and sa

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Rene Mayrhofer
[Sorry for CCing people again, but I think that this issue will need close co-operation by everybody involved.] On Mittwoch, 14. Mai 2008, Thijs Kinkhorst wrote: > That page unfortunately falls through the cracks as we're all very busy > with preparing the DSA or responding to the various issues

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Thijs Kinkhorst
On Wednesday 14 May 2008 11:16, Gerfried Fuchs wrote: >  I've asked several times on #debian-security about what to add to > there, a question to [EMAIL PROTECTED] got unanswered so far, too. I would > be fine to add any informations, I just don't like linking to a wiki > page[1] for security relat

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Gerfried Fuchs
Am Mittwoch, den 14.05.2008, 09:35 +0200 schrieb Rene Mayrhofer: > rm /etc/ssh/ssh_host_* > dpkg-reconfigure openssh-server > /etc/init.d/ssh restart FWIW, the dpkg-reconfigure openssh-server does the restart implicitly, you don't need to explicitly do a restart afterwards, again. > Who is curre

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-14 Thread Rene Mayrhofer
On Dienstag, 13. Mai 2008, Vincent Bernat wrote: > - As a maintainer of a package that have generated certificates using >OpenSSL, how should we handle the issue? I'm in the same situation (maintaining openswan and strongswan, and both packages may automatically create X.509 certificates in

Re: dsa-1571

2008-05-13 Thread Simon Paillard
On Tue, May 13, 2008 at 10:07:00PM +0200, Jens Seidel wrote: > On Tue, May 13, 2008 at 02:01:39PM -0500, Adam Majer wrote: > > http://www.debian.org/security/2008/dsa-1571 > > > > The links between < > in original advisory are all missing in the text. > >

Re: dsa-1571

2008-05-13 Thread Jens Seidel
Hi Adam, On Tue, May 13, 2008 at 02:01:39PM -0500, Adam Majer wrote: > http://www.debian.org/security/2008/dsa-1571 > > The links between < > in original advisory are all missing in the text. if you refer to: A detector for known weak key material will be publish

dsa-1571

2008-05-13 Thread Adam Majer
http://www.debian.org/security/2008/dsa-1571 The links between < > in original advisory are all missing in the text. - Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-13 Thread Gerfried Fuchs
Am Dienstag, den 13.05.2008, 15:51 +0200 schrieb Stephane Bortzmeyer: > On Tue, May 13, 2008 at 03:44:24PM +0200, > > > packages," and this link is broken: there is no > > > security-tracker.debian.org. > > > > Just in case you don't know about it yet, try .net. > > Nice and useful but the Web pa

Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-13 Thread Stephane Bortzmeyer
On Tue, May 13, 2008 at 03:44:24PM +0200, Cyril Brulebois <[EMAIL PROTECTED]> wrote a message of 31 lines which said: > > By the way, the page > > has a link > > http://security-tracker.debian.org/, labeled "The Debian Security > > Tracker has

Re: Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-13 Thread Cyril Brulebois
On 13/05/2008, Stephane Bortzmeyer wrote: > By the way, the page > has a link > http://security-tracker.debian.org/, labeled "The Debian Security > Tracker has the canonical list of CVE names, corresponding Debian > packages," and this link is brok

Broken link on Debian CVE Web page (Was: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-13 Thread Stephane Bortzmeyer
On Tue, May 13, 2008 at 02:06:39PM +0200, Florian Weimer <[EMAIL PROTECTED]> wrote a message of 274 lines which said: > This is caused by an incorrect Debian-specific change to the openssl > package (CVE-2008-0166). By the way, the page has a