Bog Roll ::

It's Not Magic, It's Work!

13 May 2008

Open SSL Glitch

Sometime ago the Debian team applied a patch to OpenSSL, in doing so they introduced a subtle bug that greatly weakens the strength of any key generated by the OpenSSL package, e.g. SSH or TLS/SSL keys.

Debian have corrected their bug but any cryptographic keys generated in the interim need to be replaced as they are unacceptably weak. A new version of OpenSSL is available from Debian and needs to be installed as a matter of urgency on any Debian Etch or later system. Once OpenSSL has been upgraded all keys need to be regenerated.

The details can be found on the Debian Security site DSA-1571-1. Users of any distro based on Debian such as Ubuntu, should also check to see if they are also affected.