Ubuntu and Debian users, update OpenSSL now! - Adventures in Switching to Linux

Tuesday, May 13, 2008

Ubuntu and Debian users, update OpenSSL now!

It was announced today that there is a critical issue with OpenSSL packages in Debian based distributions such as Ubuntu:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.
Be sure to check update manager and download the latest updates!


schulte said...

also, don't forget to actually regenerate all of your cryptographic keys which have been generated in the last two years. Simply updating the package does no good on it's own.

Forrest said...

schulte, Good point. This morning there was a package ssl-cert that came through updates that will regenerate the keys for you. I added another screen shot. Also, I found a good post explaining how to regenerate your ssl keys if you want to do it yourself.