Re: Thanks to Debian OpenSSL developers

2008-05-17 Thread s. keeling 
Izak Burger <[EMAIL PROTECTED]>:
>  On Thu, May 15, 2008 at 9:58 PM, Guido Hennecke
> <[EMAIL PROTECTED]> wrote:
> >  In Germany we say: "Wer nichts macht, macht auch nichts verkehrt".
> 
>  Which means: he who does nothing makes no mistakes. (For those who
>  don't understand German)

Danke.

   "Behold, the turtle.  He makes progress when he sticks his neck out."


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)http://blinkynet.net/comp/uip5.html  Linux Counter #80292
- -http://www.faqs.org/rfcs/rfc1855.htmlPlease, don't Cc: me.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Nico Golde 
Hi Vincent,
* Vincent Bernat <[EMAIL PROTECTED]> [2008-05-17 21:12]:
> OoO En ce début d'après-midi nuageux  du samedi 17 mai 2008, vers 14:15,
> Nico Golde <[EMAIL PROTECTED]> disait:
> 
> >> are there updates for this issue for old stable - sarge?
> 
> > sarge is not affected
> 
> I suppose that people may still be interested in blacklist support.
[...] 

Well, you replied to the openssl DSA...
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpB5fpqW4B9j.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Vincent Bernat 
OoO En ce début d'après-midi nuageux  du samedi 17 mai 2008, vers 14:15,
Nico Golde <[EMAIL PROTECTED]> disait:

>> are there updates for this issue for old stable - sarge?

> sarge is not affected

I suppose that people may still be interested in blacklist support.

> and besides that the security support 
> for sarge ended quite some time ago.

This is a valid reason.
-- 
 C'est pas avec la censure que tu vas censurer les censeurs.
 -+- JL in GNU : Las, censeurs pour l'échafaud -+-


pgpUQsSCET5p1.pgp
Description: PGP signature

Franz Tischler ist außer Haus.

2008-05-17 Thread Franz Tischler 

Ich werde ab  16.05.2008 nicht im Büro sein. Ich kehre zurück am
18.05.2008.

Ich werde Ihre Nachricht nach meiner Rückkehr beantworten.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Florian Weimer 
* Henrique de Moraes Holschuh:

>> It's not so much a time issue, is a question of storage (or getting that
>> data to the OpenSSH server).  A networked service would be feasible, but
>> it would also allow some sort of traffic analysis.
>
> I did mean putting a lot of brain grease on it.  Math might shorten the
> need for a monstrous lookup table quite a bit, since randomness is not
> an issue anymore.

Yes, good point.  However, some cryptographic hashing is still involved,
so this might be a rather difficult thing to do.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

dowkd.pl false positives

2008-05-17 Thread Florian Weimer 
Someone has added a warning to the wiki page
 that dowdkd.pl "produces many false
positives".

Even if there are bugs in the script, this is *very* unlikely.  Could
someone please provide such an alleged false positive?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Nico Golde 
Hi Dimitar,
* Dimitar Dobrev <[EMAIL PROTECTED]> [2008-05-17 13:48]:
> are there updates for this issue for old stable - sarge?

sarge is not affected and besides that the security support 
for sarge ended quite some time ago.

cheers
nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpSXjnbZoGWN.pgp
Description: PGP signature

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Martin Marcher 
Hi,

On Sat, May 17, 2008 at 12:55 PM, Dimitar Dobrev <[EMAIL PROTECTED]> wrote:
> Hi group,
> are there updates for this issue for old stable - sarge?

>> The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
>> distribution on 2006-09-17, and has since propagated to the testing and
>> current stable (etch) distributions.  The old stable distribution
>> (sarge) is not affected.


hth
martin

-- 
http://www.xing.com/profile/Martin_Marcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Jens Schüßler 
* Dimitar Dobrev <[EMAIL PROTECTED]> wrote:
> Hi group,
>
>
> are there updates for this issue for old stable - sarge?

You should read what you quote:

> The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
> distribution on 2006-09-17, and has since propagated to the testing
> and
> current stable (etch) distributions.  The old stable distribution
^^^
> (sarge) is not affected
^^

Regards 
Jens


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Matteo Vescovi 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/17/2008 12:55 PM, Dimitar Dobrev wrote:
> Hi group,
> 
> 
> are there updates for this issue for old stable - sarge?

It was said sarge is not affected, iirc.

Greetings,

mfv


- --
Matteo F. Vescovi
System Administrator
Studio Vescovi Progettazioni
GPG Fingerprint: 8EF0 F019 80D1 96BF C9C6  387E D6DE 031F 991F 9D2D
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILsK51t4DH5kfnS0RAkBCAJwJHjWb1RsW2c9wnojgti5++pCCvwCgopJ3
3Lrdw5/2oGgSd65VZkUVCg0=
=CRZ+
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

2008-05-17 Thread Dimitar Dobrev 

Hi group,


are there updates for this issue for old stable - sarge?


Regards 



Florian Weimer wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1571-1  [EMAIL PROTECTED]
http://www.debian.org/security/   Florian Weimer
May 13, 2008  http://www.debian.org/security/faq
- 

Package: openssl
Vulnerability  : predictable random number generator
Problem type   : remote
Debian-specific: yes
CVE Id(s)  : CVE-2008-0166

Luciano Bello discovered that the random number generator in Debian's
openssl package is predictable.  This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166).  As a
result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other
operating systems which are not based on Debian.  However, other systems
can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch.  Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions.  The old stable distribution
(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections.  Keys generated with GnuPG or GNUTLS are not affected,
though.

A detector for known weak key material will be published at:

  
  
(OpenPGP signature)

Instructions how to implement key rollover for various packages will be
published at:

  

This web site will be continously updated to reflect new and updated
instructions on key rollovers for packages using SSL certificates.
Popular packages not affected will also be listed.

In addition to this critical change, two other vulnerabilities have been
fixed in the openssl package which were originally scheduled for release
with the next etch point release: OpenSSL's DTLS (Datagram TLS,
basically "SSL over UDP") implementation did not actually implement the
DTLS specification, but a potentially much weaker protocol, and
contained a vulnerability permitting arbitrary code execution
(CVE-2007-4995).  A side channel attack in the integer multiplication
routines is also addressed (CVE-2007-3108).

For the stable distribution (etch), these problems have been fixed in
version 0.9.8c-4etch3.

For the unstable distribution (sid) and the testing distribution
(lenny), these problems have been fixed in version 0.9.8g-9.

We recommend that you upgrade your openssl package and subsequently
regenerate any cryptographic material, as outlined above.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Source archives:

  
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.dsc
Size/MD5 checksum: 1099 5e60a893c9c3258669845b0a56d9d9d6
  
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Size/MD5 checksum:  3313857 78454bec556bcb4c45129428a766c886
  
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3.diff.gz
Size/MD5 checksum:55320 f0e457d6459255da86f388dcf695ee20

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum:  1025954 d82f535b49f8c56aa2135f2fa52e7059
  
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum:  4558230 399adb0f2c7faa51065d4977a7f3b3c4
  
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_alpha.deb
Size/MD5 checksum:  2620892 0e5efdec0a912c5ae56bb7c5d5d896c6
  
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4

Re: ssh-vulnkey and authorized_keys

2008-05-17 Thread CaT 
On Thu, May 15, 2008 at 09:03:24AM -0400, Noah Meyerhans wrote:
> On Thu, May 15, 2008 at 11:08:58AM +0300, Mikko Rapeli wrote:
> > I think, and hope, Debian openssh packages will be updated too.
> 
> Yes, expect it within hours.

I'm curious... is there a way to get ssh-vulnkey to print out the line
number of the keys it speaks of in the known_hosts file? The
information it currently provides, unless I'm missing something, doesn't
really help in identifying the known bad keys... :/

-- 
  "Police noticed some rustling sounds from Linn's bottom area
  and on closer inspection a roll of cash was found protruding
  from Linn's anus, the full amount of cash taken in the robbery."
- 
http://www.smh.com.au/news/world/robber-hides-loot-up-his-booty/2008/05/09/1210131248617.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]