Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 14th, 2008 Accounts Blocked Due To Recent OpenSSL Vulnerabilities

Recently discovered weakness in debian OpenSSL’s random number generator, that affects among other things SSH keys, led Debian administration to disable public key authorizatoin on all project systems until further notice.

Two days ago, Debian has warned of a vulnerability in its cryptographic functions that could leave systems open to attack. The random number generator in Debian’s OpenSSL package is predictable, caused by an incorrect Debian-specific change to the OpenSSL package (CVE-2008-0166). As a result, cryptographic key material may be guessable. This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

If you operate a service on machines that requires key based auth for instance to transfer stuff between hosts or to push rebuilds please contact [email protected] after you verified the keys in question are safe, or have replaced them. Individual accounts’ key based access can be enabled again.

Since the nature of the crypto used in ssh cannot ensure confidentiality if either side uses weak random numbers, have also randomized all user passwords in LDAP. Users can request a new one using the standard password recovery procedure at, but only by using the new password once the client system has been upgraded.

The SSL certificate on were also replaced because its CA which is operated by Software in the Public Interest (SPI) is known to have been created with a SSL with the bug.

SSL certs for other services will be replaced in the next few days according to administration.

Share this item with others:

More on CyberInsecure:
  • Twitter Confidential Information Exposed After Twitter Administrator Accounts Breach
  • Facebook, MySpace Backdoor Exposed User Accounts
  • Opera Software Fixes Two Security Vulnerabilities In Opera 9.60
  • Photobucket DNS Records Hijacked By A Hacking Group
  • Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Accounts Blocked Due To Recent OpenSSL Vulnerabilities

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word