Debian OpenSSL Vulnerability
Monty Solomon
***** Moderator's Note *****
Although the attached warning is not, srictly speaking, telecom
related, I'm allowing it because Debian GNU/Linux is the operating
system that runs a lot of the Asterisk PBX software, and is used in a
lot of other "infrastructure" machines that provide email or other
essential corporate functions. The more people who know, the better.
Bill Horne
Temporary Moderator
*************************
Debian Security Advisory
DSA-1571-1 openssl -- predictable random number generator
Date Reported:
13 May 2008
Affected Packages:
openssl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2008-0166.
More information:
Luciano Bello discovered that the random number generator in
Debian's openssl package is predictable. This is caused by an
incorrect Debian-specific change to the openssl package
(CVE-2008-0166). As a result, cryptographic key material may be
guessable.
This is a Debian-specific vulnerability which does not affect
other operating systems which are not based on Debian. However, other
systems can be indirectly affected if weak keys are imported into
them.
It is strongly recommended that all cryptographic key material
which has been generated by OpenSSL versions starting with 0.9.8c-1
on Debian systems is recreated from scratch. Furthermore, all DSA
keys ever used on affected Debian systems for signing or
authentication purposes should be considered compromised; the Digital
Signature Algorithm relies on a secret random value used during
signature generation.
...