Quote:
Originally Posted by mojojojo
Hi!
As I understand it, this vmware image was built on debian. Is the openssl library installed on it, and is it one of the versions affected by the recent debian openssl critical security flaw?
I'm referring to
http://www.debian.org/security/2008/dsa-1571
In short, what the above link says, is that on debian linux distributions any public keys generated by the flawed openssl library is easily predicted, and unfortunately the flawed openssl version has been in production since late 2006, I believe.
|
Thanks for the heads-up, mojojojo. Indeed it's a nasty flaw and we've been busy the last days updating all our server keys. In general, keys generated before September 2006 are not affected by the flaw. The recommended procedure is to update openssh/openssl (via aptitude dist-upgrade), replace the host keys, and to run ssh-vulnkey afterwards to check for weak user keys.
Since the VMWare image was created more than one year ago, I suspect there are other security updates necessary as well. So when you download it, it's best to run a system upgrade first before using it.