Open source software security

Debian OpenSSL Predictable Key Vulnerability

30 November -0001

It seems Debian has introduced a critical flaw into the OpenSSL implementation that could allow an attacker to listen in on an encrypted web session or even an SSH session. What's worse is that even after an upgrade, old keys will still contain this vulnerability. This means that Debian (and Debian based systems - like Ubuntu) will have to patch/upgrade their systems and then regenerate all of their encryption keys. The Debian announcement can be found at Debian.org and the Ubuntu advisory can be found at Ubuntu.com. Update your systems as soon as you can!

Update:

It looks like code has been released to the wild to brute force ssh keys to gain unauthorized access to servers running the bad openssl code (with openssh and key authorization enabled):

http://www.milw0rm.com/exploits/5622

Note that debian has released a detector for known weak keys. Details can be found at http://www.debian.org/security/2008/dsa-1571.