Debian Security Alert 1576 and GNOME machines

As some of you have probably been made aware of somehow by now, the 
Debian openssl package introduced an incorrect change in version 
0.9.8c-1, available since September 2007 and distributed with the 
current stable release "etch", which resulted in the output of the 
random number generator being predictable, as per CVE-2008-0166.

That directly affects openssh, and any key generated on Debian or 
Debian-derived systems from then until the recent security updates (on 
Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially 

It should be obvious from the start that we are exposed to risk by the 
number of developers we have that use Debian or Ubuntu systems, and we
have run individual tests to reach the conclusion that we do, indeed,
have this kind of key installed on the GNOME servers. Hence, I regret to 
inform that key authentication to GNOME machines has been disabled some 
minutes ago for safety. We will be working into putting mechanisms into 
place that allow for blacklisting upon authentication, so that the
insecure keys are selectively disabled and we can resume normal operation
as soon as possible.

It is worth noting, however, that, for all we currently know, not all 
cases can be detected by the algorithms we have, which would make it 
insufficient to just remove the keys we know to be broken or blacklist 
them. Therefore, it is EXTREMELY important that, if you think your key 
has been generated in a system affected by this bug at the time, you 
have your system updated, regenerate your SSH keys and get them replaced 
by mailing accounts gnome org 

The Infrastructure Team may see a need to go a bit further than I have 
described in due course, but new announcements will be sent out if that
is the case.

We are sorry for the inconvenience, and hope not to have to disturb 
development for long or delay the next tarballs due date.


Guilherme de S. Pastore
The GNOME Sysadmin Team

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]