FYI
-------- Original Message --------
Subject: Urgent SSL security update from VeriSign for Debian users
Date: Tue, 20 May 2008 15:04:27 -0700
From: VeriSign <[EMAIL PROTECTED]>
Reply-To: VeriSign <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
******************************************************************************************
Linux Operating System Security Flaws May Have Compromised Your
Certificates.
Replace Them Now at No Charge.
******************************************************************************************
Dear Paul,
We are writing to inform you of a recent exposed security flaw with
certain versions of
Linux so you may take immediate action and protect your site and your
customers
against any vulnerability. If you are not using Debian or one of its
derivatives
there is nothing you need to do.
WHO IS IMPACTED AND WHY?
For customers who used a Debian OS (or its derivatives) to generate a
key pair used
to request a certificate, that key pair (and the corresponding
certificate) is vulnerable.
This is due to a flaw in the Debian-specific random number generation
that results in
relatively predictable key pair values, making them highly exploitable.
VeriSign's trusted root and intermediate roots were not impacted by this
incident.
WHAT CAN YOU DO?
If you are running Debian operating systems and derivatives (such as
Ubuntu)
released between September 17, 2006 and May 12, 2008 you should deploy a
recently replaced Debian patch and revoke and replace all SSL and Code
Signing
certificates for which the keys were created on these operating systems.
Debian has
released a testing tool to confirm whether your certificates are
affected. This tool and
other useful information can be found here:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
In addition, to ensure your site's and your customers' security,
VeriSign is
waiving the standard revoke and replace fee until June 30, 2008. To
initiate the
replacement process, please go to:
http://www.verisign.com/ssl/current-ssl-customers/manage-ssl-certificates/index.html#revoke.
FOR MORE INFORMATION.
For additional information, please visit the VeriSign Support site at
https://knowledge.verisign.com/support/ssl-certificates-support/index.html.
Sincerely,
Chris Babel
Senior Vice President, SSL
VeriSign, Inc.
To opt-out of future, non-service related or promotional e-mails,
visit our Web site at:
http://www.verisign.com/compref/
VeriSign, Inc.
Attention: Subscriber Services
487 E. Middlefield Road
Mountain View, CA 94043
--
Paul G. Allen, BSIT/SE
Owner, Sr. Engineer
Random Logic Consulting Services
www.randomlogic.com
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
