Remote hole affects Debian, Ubuntu

Sam Varghese
Wednesday, 14 May 2008 03:03

Opinion and Analysis

The Debian GNU/Linux project has announced details of a  security problem in the OpenSSL package distributed by the project. It can be exploited remotely.


In a message to the Debian security mailing list, senior developer Florian Weimer said it had been discovered that the random number generator in the package was predictable.

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols and a full-strength general purpose cryptography library.

Weimer said this was caused by an incorrect Debian-specific change in the package and as a result cryptographic key material could be guessed.

He said this was a Debian-specific vulnerability which would not affect systems not based on Debian. Systems based on Debian, such as Ubuntu , are affected. Other systems could be affected if weak keys were imported.

He recommended that all cryptographic key material generated by OpenSSL versions starting with version 0.9.8c-1 on Debian systems be recreated.

While the version of OpenSSL which had the vulnerability was present in the current stable (Etch), testing and unstable versions of Debian, he said the previous stable version, Sarge, was not affected.

Weimer said affected keys included "SSH keys. OpenVPN keys, DNSSEC keys and key material for use in X.509 certificates and session keys used in SSL/TLS connections.  Keys generated with GnuPG or GNUTLS are not affected, though."

The project has published a detector for known weak key material and instructions for implementing key rollover for various packages.