Forbidden Web

May 15, 2008

Debian and Ubuntu OpenSSL and OpenSSH Vulnerabilities
Debian and Ubuntu have released multiple security advisories to address vulnerabilities in their OpenSSL package and other cryptographic application packages that rely on it. These vulnerabilities are due to weaknesses in the random number generator that is used to create SSL and SSH cryptographic keys. As a result of the vulnerability, the keys generated using the flawed OpenSSL package may be weak. Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to conduct brute force attacks and obtain sensitive information. These vulnerabilities may affect any Debian-based systems, such as Ubuntu, and may indirectly affect other systems if these weak keys have been imported into them.

US-CERT encourages users to review the following advisories and apply any necessary workarounds or updates:

Debian Security Advisory DSA-1571-1
Debian Security Advisory DSA-1576-1
Ubuntu Security Notice USN-612-1
Ubuntu Security Notice USN-612-2
Ubuntu Security Notice USN-612-3
Ubuntu Security Notice USN-612-4
Ubuntu Security Notice USN-612-5
Ubuntu Security Notice USN-612-6

US-CERT will provide more information as it becomes available.