[lotuseclat79]

Slashdot article here.

The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu.

For Ubuntu, this means you must first update your repositories with:
$ sudo apt-get update
Note: you may possibly need to run the command twice to resolve duplicates)

Then do the upgrade.

-- Tom

P.S. Related Ubuntu Security Notices (dated May 13, 2008):
Ubuntu Security Notice USN-612-1 (SSL)
Ubuntu Security Notice USN-612-2 (SSH)
Ubuntu Security Notice USN-612-3 (VPN)

[tomdkat]

Thanks for the link. I actually updated my Ubuntu system recently with this update.

I wonder what the OpenSSL maintainers think about this. The Slashdot article didn't mention anything about comments from the OpenSSL maintainers.

Peace...

[lotuseclat79]

Ubuntu Security Notice USN-612-4. (dated May 14, 2008)

USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert -- potentially compromised snake-oil SSL certificates will be regenerated.

-- Tom

[lotuseclat79]

Ubuntu Security Notice USN-612-5.

=========================================================== Ubuntu Security Notice USN-612-5 May 14, 2008 openssh update https://launchpad.net/bugs/230029 http://www.ubuntu.com/usn/usn-612-2 =========================================================== A This security issue affects the following Ubuntu releases:
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:
Ubuntu 7.04:
openssh-client 1:4.3p2-8ubuntu1.4
openssh-client-udeb 1:4.3p2-8ubuntu1.4
Ubuntu 7.10:
openssh-client 1:4.6p1-5ubuntu0.5
openssh-client-udeb 1:4.6p1-5ubuntu0.5
Ubuntu 8.04 LTS:
openssh-client 1:4.7p1-8ubuntu1.2
openssh-client-udeb 1:4.7p1-8ubuntu1.2

After performing a standard system upgrade, users are encouraged to re-run ssh-vulnkey on their systems.

-- Tom

[lotuseclat79]

=========================================================== Ubuntu Security Notice USN-612-6 May 14, 2008 openvpn regression https://launchpad.net/bugs/230193 https://launchpad.net/bugs/230208 http://www.ubuntu.com/usn/usn-612-3 =========================================================== A This security issue affects the following Ubuntu releases:
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:
Ubuntu 7.04:
openssl-blacklist 0.1-0ubuntu0.7.04.2
openvpn 2.0.9-5ubuntu0.2
Ubuntu 7.10:
openssl-blacklist 0.1-0ubuntu0.7.10.2
openvpn 2.0.9-8ubuntu0.2
Ubuntu 8.04 LTS:
openssl-blacklist 0.1-0ubuntu0.8.04.2
openvpn 2.1~rc7-1ubuntu3.2

After a standard system upgrade you need to restart openvpn to effect the necessary changes.

-- Tom

[lotuseclat79]

=========================================================== Ubuntu Security Notice USN-612-7 May 20, 2008 openssh update CVE-2008-0166 ===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS: openssh-server 1:4.2p1-7ubuntu3.4

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-612-2 introduced protections for OpenSSH, related to the OpenSSL vulnerabilities addressed by USN-612-1. This update provides the corresponding updates for OpenSSH in Ubuntu 6.06 LTS. While the OpenSSL in Ubuntu 6.06 is not vulnerable, this update will block weak keys generated on systems that may have been affected themselves.

Original advisory details:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

-- Tom

[lotuseclat79]

Ubuntu Security Notice USN-612-8.

===========================================================
Ubuntu Security Notice USN-612-8 May 21, 2008
openssl-blacklist update
http://www.ubuntu.com/usn/usn-612-1
http://www.ubuntu.com/usn/usn-612-3 ===========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS:
openssl-blacklist 0.1-0ubuntu0.6.06.1

Ubuntu 7.04: openssl-blacklist 0.1-0ubuntu0.7.04.4

Ubuntu 7.10: openssl-blacklist 0.1-0ubuntu0.7.10.4

Ubuntu 8.04 LTS: openssl-blacklist 0.1-0ubuntu0.8.04.4

In general, a standard system upgrade is sufficient to effect the necessary changes.

See first link above for further details.

-- Tom