Sicherheit: Zu leicht vorhersagbare Zufallszahlen in keines
||Zu leicht vorhersagbare Zufallszahlen in keines
||Mi, 14. Mai 2008, 04:50
Content-Type: text/plain; charset=us-ascii; format=flowed
A recent weakness was found in the way that the Debian OpenSSL package
generated keys which may indirectly affect Mandriva users. Due to a patch, =
random number generator used by OpenSSL in Debian, Ubuntu, and other
Debian-based systems, certain encryption keys are much more common than they
should be. Because of this, an attacker could guess the key via a brute-for=
attack having minimal knowledge of the system.
This weakness in particular affects encryption keys as used by OpenSSH,
OpenVPN, and SSL certificates.
While this patch was never applied to the Mandriva OpenSSL package, it is
possible that these weak keys or certificates exist on Mandriva systems. In
particular, this could affect systems that provide SSH or VPN services to m=
users, some of which may be Debian or Ubuntu users, resulting in the
possibility that these weak keys or certificates exist.
Debian and Ubuntu have both published security advisories containing more
As well, a tool written to detect these weak keys has also been made availa=
to assist in determining whether any of these weak keys exist on your syste=
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc (GPG signatu=
Further information on how to implement key rollover for various packages w=
also be noted on the Debian website:
It is recommended that Mandriva users who provide SSH or VPN services to
remote users download this tool and double-check to ensure that no such weak
keys exist on the system. It is also recommended that any users who may have
carried over their own keys or certificates from a previous Debian or Ubuntu
installation double-check their keys or certificates in local or remote
According to the Debian advisory, affected keys include SSH keys, OpenVPN
keys, DNSSEC keys, and key material for use in X.509 certificates and sessi=
keys used in SSL/TLS connections. Please note that that keys generated with
GnuPG or GNUTLS are not affected.
This vulnerability is tracked in MITRE's dictionary as CVE-2008-0166.
The Debian and Ubuntu security teams consider this to be an extremely serio=
vulnerability and urge all users to act immediately to secure their systems.
Vincent Danen @ http://linsec.ca/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
-----END PGP SIGNATURE-----
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
To unsubscribe, send a email to firstname.lastname@example.org
with this subject : unsubscribe security-announce
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com