[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 2008-05-13 at 21:06 +0100, Neil Williams wrote:
> On Tue, 2008-05-13 at 18:29 +0100, Rob Beard wrote:
> > Hi folks,
> >
> Ubuntu has a new package already but I'm waiting for the fix in Debian -
> which will propagate into Ubuntu too.
>
> No GnuPG keys are affected - this is specific ONLY to SSH.
>
> I suspect this will cause an appreciable delay to the release of Lenny.
The Debian package has been updated, it is now propagating through the
buildd systems and thence to the mirrors. Look for openssh (1:4.7p1-9).
http://packages.qa.debian.org/o/openssh/news/20080513T150212Z.html
Note that this release is described as "mitigating" not "fixing".
* Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8.
* Mitigate OpenSSL security vulnerability (CVE-2008-0166):
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
Needless to say, PermitBlackedlistedKeys should not be 'yes' in
~/.ssh/config and all SSH keys must be checked with ssh-vulnkey before
using them for any form of SSH activity.
Be careful out there. Pay attention to future advisory notices and avoid
using SSH until the issues are resolved.
--
Neil Williams <linux@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html