Hi, I'm Chris Moyer's Blog.

• CDMoyer's Home Page
• XOXO 2014 Recap
  
  16 Sep 2014
• The Perfect Storm: A True Story of Men Against the Sea - Book Review
  
  23 Dec 2011
• Feeds I Reads
  
  13 May 2011
• Fool's War - Book Review
  
  10 May 2011
• In Conquest Born - Book Review
  
  28 Apr 2011
• Fun Presentation on 10 Golden Principles for Successful Web Apps
  
  24 Feb 2010
• GitHub has an API -- Adding your Repos to Your Site
  
  18 Feb 2010
• Postel's Law -- The Robustness Principle
  
  04 Nov 2009
• RubyKnight Gem Released (v0.2.0)
  
  02 Nov 2009
• One Truth About Technology Architecture: Loose Coupling
  
  31 Oct 2009
• Older Posts »

Debian OpenSSL Security Snafu

Darn, I thought I dealt with this. So, a couple weeks back news broke about the terrible OpenSSL problem that had caused gobs of easily crackable ssl keys to generated on debian and its derivatives, and I read up on it. Being that this is an ubuntu server, I was vulnerable, so I could have swarn I did an apt-get install openssl and got updated versions and regenerated my keys.

Fast forward to yesterday evening. I got an invite to Heroku and was playing with the git interface. I uploaded by public key, and it told me that I had a blacklisted key and pointed me to the ubuntu security warning.

MD_Update(&m,buf,j);

[ .. ]

MD_Update(&m,buf,j); /* purify complains */

If you didn't hear about the snafu, then you should look into it. If you did, maybe you should look into it again. Took me 10 minutes to fix up 3 bad keys and install the new openssl stuff via apt-get.

(For those who didn't hear: Many moons ago, a line in an openssl file caused a warning in a tool the debian maintainers used. The maintainer removed it, and the complaint went away and everything seemed to work fine. Unfortunately, that line initialized the random number generator. Without that line, every key on a debian system was generated with the random number generator initialized to the process id of the generating program… a tiny, easily bruteforceable set of seeds.)