ssh to svn.gnome.org/master.gnome.org back




NOTE: still can't log in? you'll get mail shortly







On Fri, May 16, 2008 at 09:46:08AM +0200, Olav Vitters wrote:
> Read this if you have a GNOME (ssh) account and it isnʼt working and you
> want to know why.
> 
> Due to Debian security issue weʼve locked down the machines for public
> key authentication. See the announcement by Guilherme de S. Pastore to
> devel-announce-list below. Please ensure youʼre subscribed to that list
> (as we expect people to be)! Generally announcements are spread via
> Planet GNOME as well, but that is more of an extra service.
> 
> Please contact accounts gnome org if you have either:
> * Used a DSA key on a Debian/Ubuntu machine affected by the security
> * issue
> * Generated a DSA/RSA key on an affected Debian/Ubuntu machine
> 
> Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red
> Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu
> machine (meaning: sshʼed from that machine, not to such a machine), you
> are affected as well. So please replace your key in such cases as well.
> 
> Current plan: Weʼll (well, Owen) remove all blacklisted SSH keys that we
> can find and inform affected people. This to avoid greatest security
> issues. Not sure yet what weʼll do about the DSA keys (they could be
> compromised now or in future whenever theyʼre used on an affected
> Debian/Ubuntu machine).
> 
> Closing: Iʼm unfortunately way too busy to really help the sysadmins
> working on this.. plus the accounts people replacing the SSH keys.
> Thanks to everyone whoʼs helping.
> 
> On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote:
> > As some of you have probably been made aware of somehow by now, the 
> > Debian openssl package introduced an incorrect change in version 
> > 0.9.8c-1, available since September 2007 and distributed with the 
> > current stable release "etch", which resulted in the output of the 
> > random number generator being predictable, as per CVE-2008-0166.
> > 
> > That directly affects openssh, and any key generated on Debian or 
> > Debian-derived systems from then until the recent security updates (on 
> > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially 
> > compromised.
> > 
> > It should be obvious from the start that we are exposed to risk by the 
> > number of developers we have that use Debian or Ubuntu systems, and we
> > have run individual tests to reach the conclusion that we do, indeed,
> > have this kind of key installed on the GNOME servers. Hence, I regret to 
> > inform that key authentication to GNOME machines has been disabled some 
> > minutes ago for safety. We will be working into putting mechanisms into 
> > place that allow for blacklisting upon authentication, so that the
> > insecure keys are selectively disabled and we can resume normal operation
> > as soon as possible.
> > 
> > It is worth noting, however, that, for all we currently know, not all 
> > cases can be detected by the algorithms we have, which would make it 
> > insufficient to just remove the keys we know to be broken or blacklist 
> > them. Therefore, it is EXTREMELY important that, if you think your key 
> > has been generated in a system affected by this bug at the time, you 
> > have your system updated, regenerate your SSH keys and get them replaced 
> > by mailing accounts gnome org 
> > 
> > The Infrastructure Team may see a need to go a bit further than I have 
> > described in due course, but new announcements will be sent out if that
> > is the case.
> > 
> > We are sorry for the inconvenience, and hope not to have to disturb 
> > development for long or delay the next tarballs due date.
> > 
> > Yours,
> > 
> > --
> > Guilherme de S. Pastore
> > The GNOME Sysadmin Team
> > _______________________________________________
> > gnome-hackers mailing list
> > gnome-hackers gnome org
> > http://mail.gnome.org/mailman/listinfo/gnome-hackers
> 
> -- 
> Regards,
> Olav
> _______________________________________________
> gnome-hackers mailing list
> gnome-hackers gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-hackers

-- 
Regards,
Olav


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]