Re: Debian libssl security (OpenSSH safe?)

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Otto Moerbeek <otto@...>

To: Gabriel Linder <linder@...>

Cc: openbsd-misc <misc@...>

Subject: Re: Debian libssl security (OpenSSH safe?)

Date: Wednesday, May 14, 2008 - 7:22 am

On Wed, May 14, 2008 at 09:41:43AM +0200, Gabriel Linder wrote:

quoted text> On Tue, 13 May 2008 11:14:59 -0500
> Sean Malloy <spinelli85@gmail.com> wrote:
> 
> > On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
> > > I guess everyone by now has heard about the very serious libssl
> > > vulnerability on Debian/Ubuntu?
> > > 
> > > Just making sure that the source is safe, thanks.
> > > 
> > > /juan
> > 
> > Here is a quote from the official Debian Security announcement,
> > DSA-1571 http://www.debian.org/security/2008/dsa-1571.
> > 
> > "This is a Debian-specific vulnerability which does not affect other
> > operating systems which are not based on Debian. However, other
> > systems can be indirectly affected if weak keys are imported into
> > them."
> > 
> 
> Just wondering... If someone generates ssh keys with flags J or Z
> set in malloc.conf(5), aren't these keys useless too (since feeding
> predictable data is more or less equal to not feeding data at all) ?

We're talking about stack data here, not heap, and besides, the
uninited data is only an extra source of entropy. The faulty Debian
diff removed almost all seeding from the PRNG. That was the acutal
error. 

	-Otto

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Debian libssl security (OpenSSH safe?), Juan Miscaro, (Tue May 13, 11:37 am)

Re: Debian libssl security (OpenSSH safe?), Sean Malloy, (Tue May 13, 12:14 pm)

Re: Debian libssl security (OpenSSH safe?), Gabriel Linder, (Wed May 14, 3:41 am)

Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Wed May 14, 7:22 am)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 7:24 am)

Re: Debian libssl security (OpenSSH safe?), raven, (Wed May 14, 7:45 pm)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 8:22 pm)

Re: Debian libssl security (OpenSSH safe?), Ben Calvert, (Wed May 14, 8:30 pm)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 10:22 pm)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Wed May 14, 10:43 pm)

Re: Debian libssl security (OpenSSH safe?), Otto Moerbeek, (Thu May 15, 1:11 am)

Re: Debian libssl security (OpenSSH safe?), Dave Ewart, (Thu May 15, 5:02 am)

Re: Debian libssl security (OpenSSH safe?), Tim Post, (Thu May 15, 5:44 am)

Re: Debian libssl security (OpenSSH safe?), Darrin Chandler, (Thu May 15, 9:31 am)

Re: Debian libssl security (OpenSSH safe?), Tim Post, (Fri May 16, 2:51 am)

Re: Debian libssl security (OpenSSH safe?), Ted Unangst, (Wed May 14, 11:10 pm)

Re: Debian libssl security (OpenSSH safe?), Jussi Peltola, (Wed May 14, 8:53 pm)

Re: Debian libssl security (OpenSSH safe?), Douglas A. Tutty, (Thu May 15, 9:52 am)

Re: Debian libssl security (OpenSSH safe?), Marc Espie, (Tue May 13, 1:00 pm)

More details show that someone seriously fucked up in debian..., chefren, (Tue May 13, 6:48 pm)

Re: More details show that someone seriously fucked up in de..., Damien Miller, (Thu May 15, 2:05 pm)

Re: More details show that someone seriously fucked up in de..., Otto Moerbeek, (Wed May 14, 2:47 am)

Re: More details show that someone seriously fucked up in de..., Otto Moerbeek, (Wed May 14, 7:53 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Jeff Chua	2.6.27rc1 cannot boot more than 8CPUs
David Miller	[GIT]: Networking
Nigel Cunningham	Re: [PATCH] Remove process freezer from suspend to RAM pathway
Greg Kroah-Hartman	[PATCH 011/196] sysfs: Fix a copy-n-paste typo in comment
git:
David Bremner	Commit f5bbc322 to git broke pre-commit hooks which read stdin
Wink Saville	How-to combine several separate git repos?
Johannes Schindelin	Re: Considering teaching plumbing to users harmful
Jakub Narebski	Re: VCS comparison table
openbsd-misc:
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Richard Stallman	Real men don't attack straw men
Karel Kulhavy	OpenBSD sticker considered cool by a layman
askthelist	Packets Per Second Limit?
linux-netdev:
Jussi Kivilinna	[PATCH 00/14][v3]: Driver for Wireless RNDIS USB devices.
Scott Wood	Re: [PATCH] [Rev2] MPC5121 FEC support
Herbert Xu	Re: [PATCH 3/3] pkt_sched: restore multiqueue prio scheduler
Denys	r8169 crash

Latest forum posts


How to exec user process in kernel mode.	4 hours ago	Linux kernel
trouble with my Asus Mainboard	6 hours ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	11 hours ago	Linux kernel
help in UDP catching module..	1 day ago	Linux kernel
Is there anything like Real-time drivers?	2 days ago	Linux general
ns16550 serail console in Linux 2.6.19	3 days ago	Linux general
what class should i use to register my devices	3 days ago	Linux kernel
reset bios pasword toshiba	3 days ago	Hardware
Analysis of Process Scheduling	4 days ago	Linux kernel
RT Kernel and SSH Server Panics	4 days ago	Linux kernel

Show all forums...

Recent Tags

Tux3 Andrew Morton Linux filesystem -rc quote Linus Torvalds 2.6.27-rc5 Daniel Phillips 2.6.27 -rc5 H. Peter Anvin -rc4

more tags

Colocation donated by:

Online users

Syndicate