blog

15 May 2008

OpenSSL expoit

by Anton Piatek

I am sure you have all ready about the OpenSSL exploit that was recently found in Debian:
http://lists.debian.org/debian-security-announce/2008/msg00152.html

It is worth noting that the exploit affects any keys that were built on a debian box after sarge (so etch, lenny, current sid). This also means that any box that has those keys as an authentication method is vulnerable too:

http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html

Because any of those boxes could already be compromised, if you are paranoid you should be careful about logging in with passwords to them too – basically if you are paranoid then you can’t really trust anything (so business as normal for paranoid people)

In order to fix your keys, you should probably do the following (thanks to Hugo Mills)

on all boxes you own

And on all boxes you have access to via keys

tags: