hep-cat.de

May 14, 2008

Tor: Debian flaw causes weak identity keys

Filed under: Unauthorized — atari @ 02:41

Tor 0.2.0.26-rc replaces several V3 directory authority keys affected by a recent Debian OpenSSL bug. This is a security-critical release. Everybody running any version in the 0.2.0.x series should upgrade, whether they are running Debian or not. Also, all servers running any version of Tor whose keys were generated by Debian, Ubuntu, or any derived distribution may have to replace their identity keys. See our security advisory for full details. As always, you can find Tor 0.2.0.26-rc on the downloads page.

SUMMARY: This is a critical security announcement.

A bug in the Debian GNU/Linux distribution’s OpenSSL package was announced today. This bug would allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library. Thus, all private keys generated by affected versions of OpenSSL must be considered to be compromised.

archives.seul.org/or/announce/May-2008/msg00000.html

May 13, 2008

Debian: New openssl packages fix predictable random number generator

Filed under: Unauthorized — atari @ 15:31


Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

lists.debian.org/debian-security-announce/2008/msg00152.html

Alle betroffenen Debian-Softwarepakete/Protokolle:

openssh (both server and user keys)
OpenVPN
DNSSEC
key material for X.509
encfs
Tor

wiki.debian.org/SSLkeys

Um neue SSH-Schlüssel zu generieren / To regenerate new ssh server keys:

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa

ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

May 7, 2008

Bitte nicht!

Filed under: Unauthorized — atari @ 00:06

Erst Leuphana, jetzt Google?

Laut einer Meldung vom AStA Lüneburg soll das Rechenzentrum der Universität Lüneburg bald zumindest teilweise von Google abgewickelt werden.

leuphana

Die Initiative dieses Vorhabens soll von Vize-Präsident Holm Keller ausgehen, der unter anderem den Aufgabenbereich Hochschulmarketing verantwortet. „Holm Keller muss endlich mit den Versuchen aufhören Bildung in Lüneburg zu privatisieren. Wenn er sich nicht daran gewöhnen kann in einer staatlichen Einrichtung mit öffentlichem Auftrag tätig zu sein, dann soll er wieder in die Privatwirtschaft zurückgehen,“ kritisiert Gluesen weiter, „Außerdem kann solch ein Schritt nicht ohne Beteiligung der Gremien erfolgen.“

« Newer Posts

Powered by WordPress