LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security advisories for Tuesday

[Posted May 13, 2008 by ris]

Debian has updated the kernel (race condition), openssl (predictable random number generator).

Fedora 9 has updated zoneminder (arbitrary code execution), libid3tag (infinite loop), cups (arbitrary code execution), sipp (arbitrary code execution), bugzilla (multiple vulnerabilities), tkimg (buffer overflow), licq (denial of service).

Gentoo has updated chicken (multiple vulnerabilities), blender (multiple vulnerabilities), PTeX (multiple vulnerabilities).

Red Hat has updated xen (multiple vulnerabilities).

Ubuntu has updated openssl (predictable random number generator), openssh (predictable random number generator).

(Log in to post comments)

Debian ssh bug means lots of work.

Posted May 13, 2008 19:27 UTC (Tue) by endecotp (guest, #36428) [Link] 

So all Debian and Ubuntu users have to regenerate all personal ssh keys and re-propagate them
to all authorized-keys files, regenerate all host keys (how?) and clear all known-host files,
regenerate any ssl key signing certificates and regenerate any self-signed certificates that
were generated using them, revoke all of the old ssl certificates (can anyone tell me how to
do that?), and tell users to expect ssl warnings.

I think that's quite a lot of work.  Does anyone know what Debian-specific feature was
responsible for introducing this bug?  When a distribution makes a change to the upstream
version of a package, a balance has to be struck between the usefulness of the change and the
potential for breakage.  In the case of a package like OpenSSH where the consequences of
breakage are quite serious, I would suggest that distributions should be making few if any
changes to the upstream source.

Debian ssh bug means lots of work.

Posted May 13, 2008 19:31 UTC (Tue) by corbet (editor, #1) [Link]

Lots of discussion on this problem, including how it came to be, ----> over here.

regenerating host keys

Posted May 13, 2008 21:53 UTC (Tue) by pjdc (guest, #6906) [Link]

Something like rm /etc/ssh/ssh_host_{,rsa_,dsa_}key{,.pub} && dpkg-reconfigure openssh-server

regenerating host keys

Posted May 13, 2008 22:33 UTC (Tue) by joey (subscriber, #328) [Link] 

Just upgrading openssh-server to version 4.7p1-9 (available in unstable soon) will take care
of fixing any  weak host keys; the whole process is automated starting in that version. That
version also refuses to accept logins using weak keys.

Debian has posted a wiki page HOW-TO for Key regeneration.

Posted May 14, 2008 13:12 UTC (Wed) by farslayer (guest, #30300) [Link] 

Regenerate and distribute any potentially vulnerable keys. Instructions for how to regenerate
the keys for these applications are below. You can also test to see if keys are vulnerable
using the dowkd.pl utility as described below.

http://wiki.debian.org/SSLkeys

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.