[Trilug-announce] openssh vulnerability on login.trilug.org may affect you

Cristóbal Palmer cristobalpalmer at gmail.com
Tue May 13 14:27:28 EDT 2008


== Executive Summary ==

* We updated login.trilug.org because of an openssh vulnerability
* You and your personal ssh keys may still be vulnerable
* If in doubt, regenerate your personal ssh keys
* We will delete tainted authorized_keys files on Thursday at 15:00 EDT

== Full Text ==

The Ubuntu-based TriLUG host login.trilug.org (aka pilot) was affected
by USN-612-2, which was published today (link below). Both Ubuntu and
Debian were affected by a change made in Debian to the openssl
package. That change caused any keys generated on affected systems to
be predictable and therefore vulnerable to brute-force attacks.

Pilot has been updated and known-vulnerable keys will now be rejected
by the openssh server. That does not mean, however, that all keys are
clean. If you used keys for ssh, we urge you to determine whether your
keys are possibly affected by this bug and if at all in doubt
regenerate them.

As a further precaution, any authorized_keys files still on pilot that
are known to be compromised will be deleted effective this Thursday at
15:00 EDT. You have until then to examine your account and ask
questions if you have trouble.

== References ==

Cristóbal M. Palmer
http://tinyurl.com/3apraw "They also abandoned other volumes, later,
while fleeing from the librarians."

More information about the Trilug-announce mailing list