Debian OpenSSL Package Introduces Vulnerability
May 13, 2008 / By Don Seiler
The highlight today of probably every Linux-related mailing list and IRC channel was the announcement of CVE-2008-0166, affecting OpenSSL libraries on Debian-based Linux distributions, including the popular Ubuntu.
According to the Debian Security Advisory, a change made to Debian’s OpenSSL package makes its random number generator predictable. Obviously this is less than desirable in a random number generator used for things like, say, all of your SSH keys.
The vulnerability has been present since September of 2006, and Debian strongly suggests throwing your old keys out completely:
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch.
Debian has now disabled public key authentication on their project servers until further notice, and are generating new keys for those servers and new certificates for db.debian.org.
So all you Debian and Ubuntu folks out there will probably want to do the same for your own keys and certificates. Note that this patch was never used by the upstream OpenSSL team nor by other distros like Fedora or RHEL (or CentOS), so they are not affected.