Debian.org Accounts Blocked Due To Recent OpenSSL Vulnerabilities
Recently discovered weakness in debian OpenSSL’s random number generator, that affects among other things SSH keys, led Debian administration to disable public key authorizatoin on all project systems until further notice.
Two days ago, Debian has warned of a vulnerability in its cryptographic functions that could leave systems open to attack. The random number generator in Debian’s OpenSSL package is predictable, caused by an incorrect Debian-specific change to the OpenSSL package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.
If you operate a service on Debian.org machines that requires key based auth for instance to transfer stuff between hosts or to push rebuilds please contact [email protected] after you verified the keys in question are safe, or have replaced them. Individual accounts’ key based access can be enabled again.
Since the nature of the crypto used in ssh cannot ensure confidentiality if either side uses weak random numbers, Debian.org have also randomized all user passwords in LDAP. Users can request a new one using the standard password recovery procedure at http://db.debian.org/password.html, but only by using the new password once the client system has been upgraded.
The SSL certificate on db.debian.org were also replaced because its CA which is operated by Software in the Public Interest (SPI) is known to have been created with a SSL with the bug.
SSL certs for other services will be replaced in the next few days according to Debian.org administration.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.