openssl package

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. As a result, cryptographic key material may be guessable.

Systems other than Debian can be indirectly affected if weak keys are imported into them.

A very dangerous security bug discovered in openssl debian/ubuntu packages. The random number generator in Debian's openssl package is predictable.

According to an announcement on the debian.org security lists, a flaw in the random number generator of debian's openssl package has the potential to make any cryptographic key material generated by it guessable.

This flaw could potentially compromise thousands of SSL certificates.

The Debian GNU/Linux project has just endured what is probably its worst week on the security front in the 15 years of its existence following the disclosure on May 13 of a serious vulnerability in the distribution's OpenSSL package.

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing.

All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected.

CentOS looks at the impact of the Debian SSL vulnerability for CentOS users. "This vulnerability can affect CentOS machines through the use of keys that were generated with the OpenSSL package from Debian.

For instance, if a user uses OpenSSH public key authentication to log on to a CentOS server, and this user generated the key pair with a vulnerable OpenSSL library, the server is at heavy risk because the key can be reproduced easily."

Luciano Bello discovered that the random number generator in Debian'sopenssl package is predictable. This is caused by an incorrectDebian-specific change to the openssl package (CVE-2008-0166).

As aresult, cryptographic key material may be guessable.

The Debian project has sent out an advisory stating that, due to a Debian-specific modification to the openssl package, cryptographic keys generated on affected systems may be guessable.

"It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch.