[Pkg-openssl-devel] [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Thijs Kinkhorst
thijs at debian.org
Wed May 14 11:00:37 UTC 2008
On Wednesday 14 May 2008 12:50, Rene Mayrhofer wrote:
> What's the current status concerning an automated "fixer" package that
> would do all the work of re-created the keys like the openssh-server
> package currently does? I don't think it's reasonable to just distribute
> the fixed openssl and say (only implicitly within the DSA, which people
> might not read in detail) to our users something along the lines of "your
> keys created in the past 2 years are completely broken and all your crypto
> is insecure - doh, but you're on your own". I also don't think it's
> reasonable for all packages that somehow use(d) openssl to create keys to
> do their own security fix as openssh-server did (for openssh, I think
> that's a good thing because it's the primary entry point for additional,
> potentially manual fixing). Fixing different packages should be able to
> re-use code and would only bother the user/admin once.
Since the commit was already publically made last week we had no choice as to
delay the release not more than a few days. Fixing certificates for an
ssl-using package is mostly a process specific to that package. I think we'll
accept updated packages like the openssh one just as well for other ssl-using
packages, but "somone has to do it". The maintainers of course being the most
likely candidate since they know their package best.
> As it stands now, I don't think this issue is fixed from a user point of
> view (just thinking about user ssh keys, which are still wide open....).
I'm not sure what that last part about user keys means, since the recent
openssh update is designed to block weak user ssh keys. Or what do you mean?
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080514/93939f6b/attachment.pgp
More information about the Pkg-openssl-devel
mailing list