There's a problem in Debian's version of OpenSSL, with a predictable random number generator. The announcement is here:
http://lists.debian.org/debian-secur.../msg00152.html . The problem makes key material, such as OpenVPN keys and SSH public-key authentication keys, vulnerable, and you need to replace the keys generated with old versions.
Does this problem exist on Ubuntu too?
EDIT bodhi.zazen: Adding information so that people do not need to read the entire thread for some basic information.
1. There are a few tools to check your ssh keys, most are affected so be warned.
ssh-vulnkey is included in the update of openssh-server.
On a Debian/Ubuntu box with ssh server installed :
Code:
sudo apt-get update && sudo apt-get dist-upgrade
apt-get dist-upgrade will install the packages (apt-get upgrade *may* show the packages are held).
You can then run :
Code:
sudo ssh-vulnkey -a
If you see "Not Blacklisted: xxx.yyy.zzz /path/to/key" you are ok.
The update will regenerate your server keys
2. If you are updating ssh keys on a remote server, be careful. When the ssh keys are regenerated *some* users have lost the ssh connection. If you use keys to ssh into the server, first
make sure you have alternate access to the server (temporarily allow logins with password ?) until new keys are in place.
EDIT 2 bodhi.zazen: for clarification :
This vulnerability affects more then ssh, ntp, imap, pop, smtp, tls, certificate authorities for pgp, openVPN, web servers with SSL, and more. Basically, anybody that used an SSL key generated.
More info can be found at
http://www.debian.org/security/key-rollover/
~ Thanks Conficio for the clarification and link
bodhi.zazen
Bookmarks