In [http://lists.debian.org/debian-security-announce/2008/msg00152.html Debian Security Advisory 1571-1] (New openssl packages fix predictable random number generator), the Debian Security Team disclosed a vulnerability in the openssl package that makes many cryptographic keys that are used for authentication (e.g. through SSH) or signing (e.g. web server certificates) potentially vulnerable.

End User Summary

Characteristics of potentially vulnerable keys:

Applications/protocols known to use these keys:

To fix this, first aptitude update && aptitude upgrade to install the new version of the openssl package (the vulnerability is fixed in openssl version 0.9.8c-4etch3 for etch and version 0.9.8g-9 for lenny/sid).

Then, regenerate and distribute any potentially vulnerable keys. Instructions for how to regenerate the keys for these applications are below.

OpenSSH (Server)

{{{ rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server}}} Note that your users will see a "IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!" warning when they next log on to your ssh server because the key has changed. They will need to edit $HOME/.ssh/known_hosts to remove the offending line before continuing; checking that the key fingerprint is correct, of course.

OpenSSH (Client)

You will need to have a list of the openssh keys that you currently have and where they have been copied to. For each key that is vulnerable: {{{ cd ~/.ssh ssh-keygen -t rsa -f filename ssh-copy-id -i filename hostname }}} Replacing rsa by dsa if you prefer dsa keys and replacing filename and hostname with appropriate values.

OpoenVPN

BIND9

Technical Summary

(If you want to add more technical details that an end-user doesn't need to know or isn't likely to understand, please add them here rather than making the above summary impossible for the average user to understand.)