Sure, upgrade, but only panic *if* you generated weak keys. This
script will tell you if you did.
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
On 05/15/08 19:45, Joey Kelly wrote:
> Guys,
>
> If you run Debian, Ubuntu or any Debian-based distro, this applies to
> you. Go patch your stuff.
>
> --Joey
>
> ---------- Forwarded message ----------
> From: Peter Palfrader <weasel@debian.org>
> Date: Tue, May 13, 2008 at 8:45 AM
> Subject: debian infrastructure ssh key logins disabled, passwords reset
> To: debian-devel-announce@lists.debian.org
>
>
> Hi,
>
> this email contains several important points. Please read all of it
> carefully.
>
>
> Due to the weakness in our openssl's random number generator (see the
> Debian Security Advisory #1571 from a few minutes ago[1]) that affects
> among other things ssh keys we have disabled public key auth on all
> project systems until further notice.
>
> If you operate a service on debian.org machines that requires key based
> auth for instance to transfer stuff between hosts or to push rebuilds
> please contact DSA[2] after you verified the keys in question are safe,
> or have replaced them. We can enable individual accounts' key based
> access.
>
> Export of ssh keys from the LDAP to our machines is currently disabled,
> and will be enabled only after we have cleared all ssh keys from the
> database and put resonable safeguards in place to prevent people from
> uploading bad keys. An announcement will be made on the mailinglist
> debian-infrastructure-announce[4] at such time. There is no point
> in adding new keys to the ldap right now.
>
>
>
> Since the nature of the crypto used in ssh cannot ensure confidentiality
> if either side uses weak random numbers[5] we have also randomized all
> user passwords in LDAP. Feel free to request a new one using the
> standard password recovery procedure[6], but only use the new password
> once you have upgraded your client system! (We are upgrading the
> servers at this moment.)
>
>
>
> We will also have to replace several ssh host keys. We'll try to
> keep db.d.o[7] as current as possible. Once we are done a new
> list will be posted to dia[4].
>
>
>
> We also had to replace the SSL certificate on db.debian.org because
> its CA which is operated by Software in the Public Interest (SPI) is
> known to have been created with a SSL with the bug. The new SPI
> CA can be found at the SPI's secretary page[8], its fingerprints
> signed by Joerg Jaspert's GPG key. They are:
> SHA1: AF:70:88:43:83:82:02:15:CD:61:C6:BC:EC:FD:37:24:A9:90:43:1C
> MD5: 2A:47:9F:60:BB:83:74:6F:01:03:D7:0B:0D:F6:0D:78
> [A copy of the cert is available at <URL:http://ca.debian.org/spi-cacert.crt>]
>
> Should you choose not to import SPI's root CA into your brower then
> you can just accept the new cert for db.debian.org. Its fingerprints
> are:
> SHA1: 11:0D:E1:07:19:27:36:22:C5:CD:19:D6:E6:33:44:A2:C6:61:F7:B1
> MD5: BA:6C:17:D5:38:52:80:47:A9:7F:32:BE:CF:4C:45:D4
>
> SSL certs for other services will be replaced in the next few
> hours/days as time permits.
>
>
> Thanks,
> Your Debian System Administrators
>
> 1. http://lists.debian.org/debian-security-announce/2008/msg00152.html
> 2. debian-admin@lists.debian.org, or through the request tracker[3]
> 3. http://wiki.debian.org/rt.debian.org
> 4. http://lists.debian.org/debian-infrastructure-announce/
> 5. this is pure speculation on my part, and I'd love to be proven wrong.
> Alas, I think I'm right.
> 6. http://db.debian.org/password.html
> 7. https://db.debian.org/doc-hosts.html
> 8. http://www.spi-inc.org/secretary
-- Ron Johnson, Jr. Jefferson LA USA ESPN makes baseball players better. ___________________ Nolug mailing list nolug@nolug.orgReceived on 05/15/08
This archive was generated by hypermail 2.2.0 : 12/19/08 EST