Re: Does Debian OpenSSL problem affect Maemo ?
On Fri, May 16, 2008 at 1:47 PM, MoRpHeUz <[EMAIL PROTECTED]> wrote: > Hi, > > On Fri, May 16, 2008 at 2:17 PM, Andrew Daviel <[EMAIL PROTECTED]> wrote: >> I wondered if Maemo had inherited this problem. > > The advisories says that the versions of openssl affected are > 0.9.8c-1 up to 0.9.8g-9. On my tablets, the version installed is 0.9.7 AFAIK the actual issue is that keys *generated* on a afftected system are vulnerable. Therefore, if you happened to generate a private/public key pair on a host system with the affected openssl library and added the public key to the device's /root/.ssh/authorized_keys, then the device is susceptible to remote brute force attack [1]. Of course this requires the following: - the device be in RD mode (not sure) - openssh server package installed and enabled - you manually copied a vulnerable public SSH key to the device's /root/.ssh/authorized_keys [1] http://seclists.org/fulldisclosure/2008/May/0410.html Regards, -- Anderson Lizardo Instituto Nokia de Tecnologia (INdT) Manaus - Brazil ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: Does Debian OpenSSL problem affect Maemo ?
On Fri, May 16, 2008 at 3:48 PM, Eduardo Lima (Etrunko) <[EMAIL PROTECTED]> wrote: > My key seems to be on the blacklist. I've uploaded some packages > earlier today, but at this very moment I can't do it anymore. > Considering that I must regenerate my key, how should I proceed to get > it working again? I remember of a page somewhere in maemo website > where we were able to submit our public keys, but I can't find it > anywhere > Got the address: https://garage.maemo.org/account/index2.php Best Regars, Etrunko. -- Eduardo de Barros Lima INdT - Instituto Nokia de Tecnologia [EMAIL PROTECTED] ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: Does Debian OpenSSL problem affect Maemo ?
On Fri, May 16, 2008 at 3:39 PM, Dave Neary <[EMAIL PROTECTED]> wrote: > > For the tablets, I'll take MoRpHeUz'S wOrD. > > For maemo.org's infrastructure, garage was taken offline earlier today > and "cleaned" - server keys were regenerated, etc. I don't know if any > of the user keys are vulnerable on there, but I assume Ferenc's got it > under control. My key seems to be on the blacklist. I've uploaded some packages earlier today, but at this very moment I can't do it anymore. Considering that I must regenerate my key, how should I proceed to get it working again? I remember of a page somewhere in maemo website where we were able to submit our public keys, but I can't find it anywhere Best Regars, Etrunko. -- Eduardo de Barros Lima INdT - Instituto Nokia de Tecnologia [EMAIL PROTECTED] ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: Does Debian OpenSSL problem affect Maemo ?
Hi, Andrew Daviel wrote: > Who says reading the comics is a waste of time ? > > http://xkcd.com/424/ -> google "debian openssl security" -> > > http://metasploit.com/users/hdm/tools/debian-openssl/ > > etc. > > suggesting that any certificates or SSH keys generated on a Debian system in > the last 2 years should be regenerated. > > I wondered if Maemo had inherited this problem. For the tablets, I'll take MoRpHeUz'S wOrD. For maemo.org's infrastructure, garage was taken offline earlier today and "cleaned" - server keys were regenerated, etc. I don't know if any of the user keys are vulnerable on there, but I assume Ferenc's got it under control. Cheers, Dave. -- maemo.org docsmaster Email: [EMAIL PROTECTED] Jabber: [EMAIL PROTECTED] ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Re: Does Debian OpenSSL problem affect Maemo ?
Hi, On Fri, May 16, 2008 at 2:17 PM, Andrew Daviel <[EMAIL PROTECTED]> wrote: > I wondered if Maemo had inherited this problem. The advisories says that the versions of openssl affected are 0.9.8c-1 up to 0.9.8g-9. On my tablets, the version installed is 0.9.7 BR, -- --- Blog: http://labs.morpheuz.eng.br/blog/ PGP: 0xDBEEAAC3 @ wwwkeys.pgp.net ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers
Does Debian OpenSSL problem affect Maemo ?
Who says reading the comics is a waste of time ? http://xkcd.com/424/ -> google "debian openssl security" -> http://metasploit.com/users/hdm/tools/debian-openssl/ etc. suggesting that any certificates or SSH keys generated on a Debian system in the last 2 years should be regenerated. I wondered if Maemo had inherited this problem. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager ___ maemo-developers mailing list maemo-developers@maemo.org https://lists.maemo.org/mailman/listinfo/maemo-developers