[Technik] [SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness

Noèl Köthe noel at debian.org
Fri May 16 10:24:59 CEST 2008 

Am Mittwoch, den 14.05.2008, 11:24 +0200 schrieb Florian Weimer:

> Debian Security Advisory DSA-1576-1                  security at debian.org
> http://www.debian.org/security/                           Florian Weimer
> May 14, 2008                          http://www.debian.org/security/faq
> 
> Package        : openssh
> Vulnerability  : predictable random number generator
> Problem type   : remote
> Debian-specific: yes
> CVE Id(s)      : CVE-2008-0166

openssh auf allen Rechnern aktualisiert.


> 2. Update OpenSSH known_hosts files

bei dem Update wurden folgende Hostkeys neu generiert (fingerprints):

h52:
1024 cd:84:61:d0:aa:4e:7f:c9:7a:e9:bb:4e:99:dc:72:ce /etc/ssh/ssh_host_dsa_key.pub

cherokee:
1024 e8:37:1a:72:35:17:cc:53:b4:e5:fb:b8:e8:03:8d:f3 /etc/ssh/ssh_host_dsa_key.pub

iowa:
1024 de:18:65:1f:90:33:7f:48:5e:91:36:37:cb:05:38:fc /etc/ssh/ssh_host_dsa_key.pub


> 3. Check all OpenSSH user keys

>    To check all keys on your system:
> 
>      sudo ssh-vulnkey -a

Auf den nicht h0* Rechner gibts es keine COMPROMISED ssh-keys von
unseren Hostmastern. Bei den h0* hives einige, die wir wie Michael schon
schrieb anmailen müssen.

> 4. Regenerate any affected user keys

> 5. Update authorized_keys files (if necessary)

> For the stable distribution (etch), these problems have been fixed in
> version 4.3p2-9etch1.  Currently, only a subset of all supported
> architectures have been built; further updates will be provided when
> they become available.

changelog:
openssh (1:4.3p2-9etch1) stable-security; urgency=critical

  * Backport from upstream:
    - CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
      creation of an untrusted cookie fails; found and fixed by Jan Pechanec
      (closes: #444738).
    - CVE-2008-1483: Don't use X11 forwarding port which can't be bound on
      all address families, preventing hijacking of X11 forwarding by
      unprivileged users when both IPv4 and IPv6 are configured (closes:
      #463011).
  * Mitigate OpenSSL security vulnerability (CVE-2008-0166):
    - Add key blacklisting support. Keys listed in
      /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
      sshd, unless "PermitBlacklistedKeys yes" is set in
      /etc/ssh/sshd_config.
    - Add a new program, ssh-vulnkey, which can be used to check keys
      against these blacklists.
    - Depend on openssh-blacklist.
    - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
      0.9.8g-9.
    - Automatically regenerate known-compromised host keys, with a
      critical-priority debconf note. (I regret that there was no time to
      gather translations.)

 -- Colin Watson <cjwatson at debian.org>  Tue, 13 May 2008 14:38:03 +0100


-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20080516/28377e34/attachment.pgp

More information about the Technik mailing list