NEWS FROM THE LAB - Friday, May 16, 2008

Debian OpenSSL Vulnerability Posted by Vulnerabilities @ 10:07 GMT

Debian's OpenSSL packages versions 0.9.8c-1 up to 0.9.8g-9 are affected by a highly critical vulnerability which may lead to weak cryptographic keys and potentially compromise the system.


The vulnerability is due to the random number generator in Debian's OpenSSL package being more predictable which might lead an attacker to conduct brute force guessing attacks and decipher cryptographic keys used in SSH, OpenVPN, DNSSEC, X.509 certificates, and session keys used in SSL/TLS connections.

Also, an unspecified weakness in the Datagram Transport Layer Security implementation can be exploited by remote attackers to cause a denial of service condition and potentially compromise the vulnerable system.

Update the OpenSSL package from Debian and recreate all cryptographic keys to mitigate.

For more information read our vulnerability report and Debian's announcement.