Some people may have noticed the security alert from Debian this week http://lists.debian.org/debian-security-announce/2008/msg00152.html
It turns out the random number generator used in OpenSSH and OpenSSL stops being very random once you comment out the allocation of unzeroed memory that provided a pool of randomness [1]. Anyone who has a debian (including ubuntu) machine needs to get the patches on and somehow regenerate any SSH/SSL keys they have been using This also has implications for SmartFrog security: anyone who runs SmartFrog in secure mode has to create their own private Certification Authority, using the initCA target of SmartFrog's build file. This target uses openssl to create certificates. Accordingly, those CAs -if they were created on a debian-derived machine- have to be considered weak and should be replaced. If you built the CA on any RPM-based linux system, or on a different unix platform, there is no risk. -Steve [1] http://www.links.org/?p=327 -- ----------------------- Hewlett-Packard Limited Registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Smartfrog-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/smartfrog-users
