SLUG Mailing List Archives
[SLUG] Debian SSH vulnerability: act now!
- To: slug@xxxxxxxxxxx
- Subject: [SLUG] Debian SSH vulnerability: act now!
- From: Peter Chubb <peterc@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 May 2008 09:24:00 +1000
- Organization: Gelato@UNSW
- User-agent: Wanderlust/2.15.6 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Gojō) APEL/10.7 MULE XEmacs/21.4 (patch 21) (Educational Television) (i486-linux-gnu)
Just in case anyone missed it, there's been a major vulnerability for
any SSH keys generated on a debian system over the last two years or
so ... apparently the random number generator wasn't being seeded
right, so only a few distinct keys were actually generated.
The AARNET mirror doesn't have the updated packages as of this
morning, but the Optusnet mirror does ... I suggest that
-- you install the new openssh-client package (version 1:4.7p1-9 on unstable)
-- run ssh-vulnkey -a as root to find any vulnerable keys, and get
your users to fix them.
Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au
http://www.ertos.nicta.com.au ERTOS within National ICT Australia