On Thu, 2008-05-15 at 06:31 -0700, Darrin Chandler wrote:
Can you explain why that's not effective? Do you know ssh-vulnkey (or
the Perl script) does not reliably detect bad keys?
Just to ensure I have facts separated from co-workers just going on
paranoid tangents, I checked again and asked
On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote:
Debian (and thus also Ubuntu) have released updated openssh packages
which include a new tool called ssh-vulnkey which can be used to check
the running system[1] for vulnerable keys: ssh-vulnkey works similarly
to the Perl script in the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thursday, 15.05.2008 at 07:11 +0200, Otto Moerbeek wrote:
On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote:
On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote:
On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote:
On
On 2008-05-15, Ben Calvert [EMAIL PROTECTED] wrote:
and it only applies if you're using keys _without_passphrase_.
Passphrases protect your on-disk copy of the key. The key can be
re-encrypted with a different key, or decrypted and written out, it's
still the same key. If you ssh-keygen -p, you
On Thu, May 15, 2008 at 05:44:32PM +0800, Tim Post wrote:
On Thu, 2008-05-15 at 10:02 +0100, Dave Ewart wrote:
Debian (and thus also Ubuntu) have released updated openssh packages
which include a new tool called ssh-vulnkey which can be used to check
the running system[1] for vulnerable
On Thu, May 15, 2008 at 12:53:06AM +, Jussi Peltola wrote:
On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote:
do people actually allow remote root access ? for more
On Wed, 14 May 2008, chefren wrote:
On 5/13/08 7:08 PM, Marc Espie wrote:
More details show that someone seriously fucked up in debian.
Well, this Kurt has seriously asked for details on the relevant openssl-dev
list:
http://marc.info/?l=openssl-devm=114651085826293w=2
And see what
On Wed, May 14, 2008 at 12:48:41AM +0200, chefren wrote:
On 5/13/08 7:08 PM, Marc Espie wrote:
More details show that someone seriously fucked up in debian.
Well, this Kurt has seriously asked for details on the relevant openssl-dev
list:
On Tue, 13 May 2008 11:14:59 -0500
Sean Malloy [EMAIL PROTECTED] wrote:
On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
I guess everyone by now has heard about the very serious libssl
vulnerability on Debian/Ubuntu?
Just making sure that the source is safe, thanks.
On Wed, May 14, 2008 at 09:41:43AM +0200, Gabriel Linder wrote:
On Tue, 13 May 2008 11:14:59 -0500
Sean Malloy [EMAIL PROTECTED] wrote:
On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
I guess everyone by now has heard about the very serious libssl
vulnerability on
On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote:
Just wondering... If someone generates ssh keys with flags J or Z
set in malloc.conf(5), aren't these keys useless too (since feeding
predictable data is more or less equal to not feeding data at all) ?
feeding predictable data +
On Wed, May 14, 2008 at 08:47:38AM +0200, Otto Moerbeek wrote:
On Wed, May 14, 2008 at 12:48:41AM +0200, chefren wrote:
On 5/13/08 7:08 PM, Marc Espie wrote:
More details show that someone seriously fucked up in debian.
Well, this Kurt has seriously asked for details on the relevant
Ted Unangst ha scritto:
On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote:
Just wondering... If someone generates ssh keys with flags J or Z
set in malloc.conf(5), aren't these keys useless too (since feeding
predictable data is more or less equal to not feeding data at all) ?
A
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote:
Ted Unangst ha scritto:
On 5/14/08, Gabriel Linder [EMAIL PROTECTED] wrote:
Just wondering... If someone generates ssh keys with flags J or Z
set in malloc.conf(5), aren't these keys useless too (since feeding
predictable data is
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote:
A decent analysis can be found here... just to understand what can
do a
comment /* */ :)
http://blog.drinsama.de/erich/en/linux/2008051401-consequences-of-sslssh-weakness.html
Are
On Wed, May 14, 2008 at 05:30:18PM -0700, Ben Calvert wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
On Thu, May 15, 2008 at 01:45:51AM +0200, raven wrote:
A decent analysis can be found here... just to understand what can
do a
comment /* */ :)
On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
Are you sure that's a decent analysis? If you have a non-debian system
with the full number of keys available, what are the chances that you've
landed on one of the 32767 keys? Not very
On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote:
On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
Are you sure that's a decent analysis? If you have a non-debian system
with the full number of keys available, what are the
On 5/14/08, Darrin Chandler [EMAIL PROTECTED] wrote:
Sure. Lots of those keys out there already. So is something like
ssh-vulnkey the right approach? I do have a couple of users on one of my
boxes. Mind, they're all good OpenBSD people and I really hope their
keys didn't come from a debian
On Wed, May 14, 2008 at 07:43:25PM -0700, Darrin Chandler wrote:
On Wed, May 14, 2008 at 10:22:11PM -0400, Ted Unangst wrote:
On 5/14/08, Ben Calvert [EMAIL PROTECTED] wrote:
On May 14, 2008, at 5:22 PM, Darrin Chandler wrote:
Are you sure that's a decent analysis? If you have a
On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
I guess everyone by now has heard about the very serious libssl
vulnerability on Debian/Ubuntu?
Just making sure that the source is safe, thanks.
/juan
Here is a quote from the official Debian Security announcement,
DSA-1571
On Tue, May 13, 2008 at 11:14:59AM -0500, Sean Malloy wrote:
On Tue, May 13, 2008 at 11:37:38AM -0400, Juan Miscaro wrote:
I guess everyone by now has heard about the very serious libssl
vulnerability on Debian/Ubuntu?
Just making sure that the source is safe, thanks.
/juan
Here
On Tue, May 13, 2008 at 09:41:00PM +0400, B A wrote:
Can't find relation between bug in openssl deb package and valgring.
There is no such info in the original link as I see (DSA-1571-1).
Cold you be more specific and informative?
Thank you.
Yes. Not good idea to modify sources just for satisfying automatic testings
tool.
Good lesson!
13.05.08, 21:53, Marc Espie [EMAIL PROTECTED]:
On Tue, May 13, 2008 at 09:41:00PM +0400, B A wrote:
Can't find relation between bug in openssl deb package and valgring.
There is no such
Can't find relation between bug in openssl deb package and valgring.
There is no such info in the original link as I see (DSA-1571-1).
Cold you be more specific and informative?
Thank you.
13.05.08, 21:00, Marc Espie [EMAIL PROTECTED]:
More details show that someone seriously fucked up
On 5/13/08 7:08 PM, Marc Espie wrote:
More details show that someone seriously fucked up in debian.
Well, this Kurt has seriously asked for details on the relevant
openssl-dev list:
http://marc.info/?l=openssl-devm=114651085826293w=2
And see what arrogant as usual Ben Laurie states:
26 matches
Mail list logo