Login
Newsletter
Werbung

Sicherheit: Zu leicht vorhersagbare Zufallszahlen in keines
Aktuelle Meldungen Distributionen
Name: Zu leicht vorhersagbare Zufallszahlen in keines
ID: fail
Distribution: Mandriva
Plattformen: Keine Angabe
Datum: Mi, 14. Mai 2008, 04:50
Referenzen: Keine Angabe
Applikationen: keines

Originalnachricht

--PGNNI9BzQDUtgA2J
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

A recent weakness was found in the way that the Debian OpenSSL package
generated keys which may indirectly affect Mandriva users. Due to a patch, =
the
random number generator used by OpenSSL in Debian, Ubuntu, and other
Debian-based systems, certain encryption keys are much more common than they
should be. Because of this, an attacker could guess the key via a brute-for=
ce
attack having minimal knowledge of the system.

This weakness in particular affects encryption keys as used by OpenSSH,
OpenVPN, and SSL certificates.

While this patch was never applied to the Mandriva OpenSSL package, it is
possible that these weak keys or certificates exist on Mandriva systems. In
particular, this could affect systems that provide SSH or VPN services to m=
any
users, some of which may be Debian or Ubuntu users, resulting in the
possibility that these weak keys or certificates exist.

Debian and Ubuntu have both published security advisories containing more
information:

http://www.ubuntu.com/usn/usn-612-1
http://www.debian.org/security/2008/dsa-1571

As well, a tool written to detect these weak keys has also been made availa=
ble
to assist in determining whether any of these weak keys exist on your syste=
m:

http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc (GPG signatu=
re)

Further information on how to implement key rollover for various packages w=
ill
also be noted on the Debian website:

http://www.debian.org/security/key-rollover/

It is recommended that Mandriva users who provide SSH or VPN services to
remote users download this tool and double-check to ensure that no such weak
keys exist on the system. It is also recommended that any users who may have
carried over their own keys or certificates from a previous Debian or Ubuntu
installation double-check their keys or certificates in local or remote
machines.

According to the Debian advisory, affected keys include SSH keys, OpenVPN
keys, DNSSEC keys, and key material for use in X.509 certificates and sessi=
on
keys used in SSL/TLS connections. Please note that that keys generated with
GnuPG or GNUTLS are not affected.

This vulnerability is tracked in MITRE's dictionary as CVE-2008-0166.

The Debian and Ubuntu security teams consider this to be an extremely serio=
us
vulnerability and urge all users to act immediately to secure their systems.

--=20
Vincent Danen @ http://linsec.ca/

--PGNNI9BzQDUtgA2J
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkgqUbgACgkQLrxeMv7jCtTR8ACfU21Rm5uq0z6ajV2Ruygj5V5Q
yg8AoLmgNyxyz1BlYMqWGyzDLTp9WT6x
=ezSH
-----END PGP SIGNATURE-----

--PGNNI9BzQDUtgA2J
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

--PGNNI9BzQDUtgA2J--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung