Geek news update.

[theweaselking]

MOTHERFUCKER.

If you have a Debian or Ubuntu system, update *now* and delete all SSH and SSL certificates and keys you generated before the update. Generate new ones, unless you installed openssh TODAY.

For Ubuntu, this affects 7.04+. 6.06 is safe. For Debian, fucked if I know. Debian is obsolete, pretty much by definition.

Comments

[jagash.livejournal.com]

Soo glad that I haven't used my ubuntu installation for anything concrete. Lower risk, though I will have to update immediately upon booting into that system. Thanks.

[drjon.livejournal.com]

Same here. Many thanks!

[elffin.livejournal.com]

ngyagh. Thankee.

[itlandm.livejournal.com]

Ubuntu 8's upgrader dealt with it once I gave it the go-ahead. But yeah, a revolting development. Let us hope it doesn't become a habit.

[theweaselking.livejournal.com]

You did reinstall openssh, right?

Because, if you didn't, you didn't generate new certificates. Meaning you're left vulnerable to a MITM attack.

[itlandm.livejournal.com]

The update program did that. It asked me first though.

[jsbowden.livejournal.com]

Those of us not running Linux will just point and laugh.

[theweaselking.livejournal.com]

Indeed. And one day, when SSH and SATA support come to you, all these problems will be resolved, in advance.

(Unless you're running a BSD clone, in which case I simply have to say, from experience, MACS SUCK ASS GET A REAL COMPUTER YO.)

[jsbowden.livejournal.com]

BSD clone? No no, I run an actual BSD, thanks. FreeBSD to be specific. I've had SSH for a dozen years, and SATA support has been around since SATA chipsets started hitting the market.

[theweaselking.livejournal.com]

And, on a fresh install, can you do the whole pointy-clicky-thing and make a second monitor work in, like, two seconds? No[1]? That's what I thought. Dirty mac-user!


[1]: Attempts to turn this question upon Linux users are simply a sign of jealousy. Really. Totally. That's what they are. And you're a poopy head.

[jsbowden.livejournal.com]

I may or may not be a poopy head, but yeah, Xinerama is not exactly hard to set up.

The easiest machines to do it on are my Irix boxes. I don't even have to point and click, they just auto detect the second monitor and enable it for you.

[theweaselking.livejournal.com]

You are the enemy of free software! By which, of course, I mean Linux. Because, y'know, that's what free software IS.

So there!

[jsbowden.livejournal.com]

Yes, yes I am. I even have Suns running Solaris, which also Just Works (TM) with multiple displays.

[plantyhamchuk.livejournal.com]

But.... but.... macs are pretty!!

[ben-raccoon.livejournal.com]

Suddenly, I'm glad I run gentoo..

[mrbankies.livejournal.com]

Yeah, that's pretty much a big deal problem. Yeeek.

[anivair.livejournal.com]

That patched with this morning's updates on all my servers.

[eididdy.livejournal.com]

Nice. Installed it last night.

[athelind.livejournal.com]

Wait, what?

I run Ubuntu (8.04), but I'm sufficiently tech-illiterate that I don't know what SH and SSL codes ARE, other than "something to do with encryption". If I don't deliberately use them, do I have to worry about it?

I THINK my system installed the OpenSSH app this morning, but I'm not sure; I get new updates regularly.

[theweaselking.livejournal.com]

Okay. SSH and SSL are both traffic encryption applications, so nobody can listen in to what your remote computer is sending to a server, and they use "keys". Keys are generated randomly, but the security of the key depends on *how random* the random number generator really is.

For the last two years, Debian and Ubuntu have had a flaw in their random number generator, so that their "random" keys are really nothing of the sort.

If you have "openssl" and "libssl" and "openssh-server" installed, remove them, update your packages, and reinstall them.

Run "ssh-vulnkey" after updating, to find if there are any remaining vulnerable keys

[jerril]

So, does this impact users who aren't running their own servers or doing anything more than visiting HTTPS enabled websites?

[theweaselking.livejournal.com]

If you aren't using SSH to connect to your machine and you aren't running an SSL service like HTTP or FTP, then why do you have the services installed?

If you have them installed, you must update them. Period. If you don't have them installed, no worries.

[rbarclay.livejournal.com]

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since that date propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected.

So those of us with old keys/certs are in the clear.

[atlasimpure.livejournal.com]

hahahahahahahaha