Tuesday, May 13, 2008

OpenSSL security issue and Ubuntu response

The big news of the day is the openssl security issue with debian based systems.

A bit of an embarrassing story, the code involved in generating keys was patched to stop valgrind complaining about some uninitialised memory.

Unfortunately, this resulted in less entropy feeding into the key generation (as far as I can gather) and so there is an easy attack on the vulnerable keys.

Now whilst this is unfortunate, I think some praise is due to the way Ubuntu has handled the issue. After hearing about the problem this afternoon, I just fired up the update-manager and checked for updates.

Sure enough, there was a full set of openssl and ssh related updates to install.

I installed these and was greeted with a helpful dialogue which explained that the host key on my machine was one of the weak ones and had been regenerated. Further, it pointed me at a new command, ssh-vulnkey which can be used to check for bad keys.

So, whilst it is more than a little unfortunate that this problem has been around 2 years, kudos for getting out the fix so quickly and for the pain free way it has been rolled out.

No comments: