Debian Bug Leaves Private SSL/SSH Keys Guessable 670
SecurityBob writes "Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu." Reader RichiH also points to Debian's announcement and Ubuntu's announcement.
What's the hurry? (Score:5, Funny)
*grin*
How Frakin stupid can you be? (Score:5, Funny)
Re:stupid stupid stupid (Score:5, Funny)
Re:OSS, only as good as the last developer? (Score:4, Funny)
I give anyone who touches my package 5 stars!!!
comics (Score:5, Funny)
http://www.xkcd.com/221/
Re:i wondered what was going on (Score:0, Funny)
NUH-UH!!
Too early (Score:5, Funny)
I wake up and what do I see first thing? That there is a problem with Debian's OpenSSH package and the
Now I am thinking, "What exactly is going on here? Is choking on a bucket of cocks not a good source of randomness?"
Re:How Frakin stupid can you be? (Score:5, Funny)
BUTTERCUP: Who are you?
MAN IN BLACK: I am no one to be trifled with, that is all you ever need know.
BUTTERCUP: To think -- all that time it was your cryptographic protocol that was poorly seeded.
MAN IN BLACK: They were both poorly seeded. I spent the morning downloading a patch to build an immunity to keys being guessed.
Re:stupid stupid stupid (Score:5, Funny)
Exactly what I was thinking. But it could be interpreted multiple ways: (a) it was criminals; (b) it was terrorists; (c) it was Microsoft.
Re:It will be fixed (Score:5, Funny)
Might as well... (Score:2, Funny)
OK, this is as good a place as any.
FUCKING IDIOT NOOB ASSHOLES!!!!!1!
Re:stupid stupid stupid (Score:5, Funny)
Re:2 years? (Score:3, Funny)
Re:It will be fixed (Score:5, Funny)
I guess I'd better change my private key... (Score:0, Funny)
-----BEGIN RSA PRIVATE KEY-----
7
------END RSA PRIVATE KEY------
Yipes.
Re:It will be fixed (Score:5, Funny)