Hi, I'm Chris Moyer's Blog.

Debian OpenSSL Security Snafu

Darn, I thought I dealt with this. So, a couple weeks back news broke about the terrible OpenSSL problem that had caused gobs of easily crackable ssl keys to generated on debian and its derivatives, and I read up on it. Being that this is an ubuntu server, I was vulnerable, so I could have swarn I did an apt-get install openssl and got updated versions and regenerated my keys.

Fast forward to yesterday evening. I got an invite to Heroku and was playing with the git interface. I uploaded by public key, and it told me that I had a blacklisted key and pointed me to the ubuntu security warning.

The removed lines:


[ .. ]

MD_Update(&m,buf,j); /* purify complains */

If you didn't hear about the snafu, then you should look into it. If you did, maybe you should look into it again. Took me 10 minutes to fix up 3 bad keys and install the new openssl stuff via apt-get.

(For those who didn't hear: Many moons ago, a line in an openssl file caused a warning in a tool the debian maintainers used. The maintainer removed it, and the complaint went away and everything seemed to work fine. Unfortunately, that line initialized the random number generator. Without that line, every key on a debian system was generated with the random number generator initialized to the process id of the generating program… a tiny, easily bruteforceable set of seeds.)

Back to Blog Home »