WAHIL.net

OpenSSL vulnerability in Debian and derivated distributions

There is a weakness vulnerability in in the random generator used by OpenSSL in Debian and derivated distributions.

Luciano Bello discovered that the random number generator in the OpenSSL package of Debian is predictable. So, it is strongly recommended to update the OpenSSL package in Debian and its derivated distributions, like Ubuntu. Moreover, all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems must be recreated from scratch.

Ubuntu published: “This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.”

There are many hosting providers that started upgrading their Debian or Debian-based servers. Please be aware that it is a critical necessary security upgrade, so, please prepare yourself in both technical and budget areas to face this situation.

On this time, Debian and Ubuntu had published fixed upgraded packages of the OpenSSL software. Please visit the following sites, to download them as well as to make a further reading and news updates.

For Debian: Fixed OpenSSL packages and further reading.

For Ubuntu: Fixed OpenSSL packages and further reading.

The well known security researcher H.D. Moore, creator of the MetaSploit project, has published very interesting findings about the OpenSSL vulnerability. Please check it here

Moore explains the cause of the bug and how easy is for attackers to take advantage of the OpenSSL vulnerability in Ubuntu, Debian and derivated distributions.

Posted on November 2008 in System

Leave a Reply