May 14, 2008
Where's the Open?
Ok, so it seems that the whirlwind on OpenSSL has settled down a bit. Posts about it are coming from everywhere, ranging from rants on package maintenance to blame-pointing on both upstream and packager sides. And, of course, Slashdot.
Where does all this leave the end user with? Well, probably not much except to
regenerate weak SSH keys with the new openssh-server (now enhanced with
openssh-blacklist, see the new advisory) and hope to $DEITY all gets
well soon. And maybe, just maybe, a minor suspicion that other Debian-packaged
software may be "tainted" with a similar blemish (that being having patches
that are supposed to fix something, applied with upstream's blessing, and yet
not really audited enough to ensure functionality AND security of the
system is maintained.)
Obviously, there's going to be some adjustments to be made on the Debian side.
But I do hope to $DEITY that major revamps ought to happen on the OpenSSL side
as well, in particular on clarifying their public channels to reaching upstream
developers (read: publish openssl-team@openssl.org in a legitimate way, being
the legitimate upstream contact endpoint it is,) and keeping a closer eye on
the vendors who package their software (yeah, it may not be an obligation at
all for OpenSSL, but heck, their vendors are users, too!) Upstream may be
free not to partake on a social contract like Debian's, but it shouldn't
escape from them the fact that vendors nevertheless aggregate continuing and
potential users (aside from being users themselves) for their benefit.
More importantly though, is that delivering FOSS is a community effort. Sure, its easy to put blame now, but in the end, the blame isn't as important as the real cause and effects of the problem/bug/issue are. Better to move on and work together towards a real fix, rather than the bickering that currently passes as FOSS entertainment.
Tags: community, debian, linux, openssh, openssl. | Posted at: 11:31 | 2 Comments/Trackbacks.
May 13, 2008
OpenSSL Ouch
I won't repeat it here, but there's DSA-1571-1 waiting for your attention,
especially if you made some material out of openssl over the last couple of
years or so. Yes, you read it right: COUPLE.
Upgrading to the new OpenSSL is easy. Generating new keys is another story.
To save (or add to, depending on how you handle this) your pain, there is a simple checker that can currently see if your OpenSSH or OpenVPN public keys are weak enough to warrant replacement. I await a version that can handle X.509 certificates too (though I only just generated a new one today, before the announcement, so that means I have to do it again (and get its CSR to CACert for signing, etc.)
And yeah, if you're running openssh-server, consider regenerating your host RSA and DSA keys, e.g.:
# mv /etc/ssh/ssh_host_{dsa,rsa}_key* /some/place/else
# dpkg-reconfigure -plow openssh-server
That should regenerate your keys and restart openssh-server once the new keys
are installed to /etc/ssh.
The hard part (of making sure all the keys of your systems are updated and tested) is still up to you, however.
UPDATE: The Debian wiki has up-to-date information regarding other packages that generate SSH/SSL keys at postinst. Please refer to that while the key-rollover page isn't up yet.
UPDATE 2: openssh-server is updated (with corresponding
DSA-1576-1) that is linked to the updated OpenSSL library. Be sure to
upgrade! The new package also pulls in openssh-blacklist, a new package
that contains the database needed by the new ssh-vulnkey for checking SSH
public keys.
Tags: debian, linux, openssh, openssl, perl, remote, vulnerability. | Posted at: 16:32 | 13 Comments/Trackbacks.