Debian Security Alert 1576 and GNOME machines

> As some of you have probably been made aware of somehow by now, the
> Debian openssl package introduced an incorrect change in version
> 0.9.8c-1, available since September 2007 and distributed with the
> current stable release "etch", which resulted in the output of the
> random number generator being predictable, as per CVE-2008-0166.
>
> That directly affects openssh, and any key generated on Debian or
> Debian-derived systems from then until the recent security updates (on
> Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially
> compromised.
>
> It should be obvious from the start that we are exposed to risk by the
> number of developers we have that use Debian or Ubuntu systems, and we
> have run individual tests to reach the conclusion that we do, indeed,
> have this kind of key installed on the GNOME servers. Hence, I regret to
> inform that key authentication to GNOME machines has been disabled some
> minutes ago for safety. We will be working into putting mechanisms into
> place that allow for blacklisting upon authentication, so that the
> insecure keys are selectively disabled and we can resume normal operation
> as soon as possible.
>
> It is worth noting, however, that, for all we currently know, not all
> cases can be detected by the algorithms we have, which would make it
> insufficient to just remove the keys we know to be broken or blacklist
> them. Therefore, it is EXTREMELY important that, if you think your key
> has been generated in a system affected by this bug at the time, you
> have your system updated, regenerate your SSH keys and get them replaced
> by mailing accounts@....
>
> The Infrastructure Team may see a need to go a bit further than I have
> described in due course, but new announcements will be sent out if that
> is the case.
>
> We are sorry for the inconvenience, and hope not to have to disturb
> development for long or delay the next tarballs due date.
>
> Yours,
>
> --
> Guilherme de S. Pastore
> The GNOME Sysadmin Team
> _______________________________________________
> gnome-hackers mailing list
> gnome-hackers@...
> http://mail.gnome.org/mailman/listinfo/gnome-hackers

> Read this if you have a GNOME (ssh) account and it isn’t working and you
> want to know why.
>
> Due to Debian security issue we’ve locked down the machines for public
> key authentication. See the announcement by Guilherme de S. Pastore to
> devel-announce-list below. Please ensure you’re subscribed to that list
> (as we expect people to be)! Generally announcements are spread via
> Planet GNOME as well, but that is more of an extra service.
>
> Please contact accounts@... if you have either:
> * Used a DSA key on a Debian/Ubuntu machine affected by the security
> * issue
> * Generated a DSA/RSA key on an affected Debian/Ubuntu machine
>
> Note: If you have a DSA key generated on a non-Debianb/Ubuntu (e.g. Red
> Hat) distribution (or whatever) and used it on a affected Debian/Ubuntu
> machine (meaning: ssh’ed from that machine, not to such a machine), you
> are affected as well. So please replace your key in such cases as well.
>
> Current plan: We’ll (well, Owen) remove all blacklisted SSH keys that we
> can find and inform affected people. This to avoid greatest security
> issues. Not sure yet what we’ll do about the DSA keys (they could be
> compromised now or in future whenever they’re used on an affected
> Debian/Ubuntu machine).
>
> Closing: I’m unfortunately way too busy to really help the sysadmins
> working on this.. plus the accounts people replacing the SSH keys.
> Thanks to everyone who’s helping.
>
> On Wed, May 14, 2008 at 10:52:29PM -0500, Guilherme de S. Pastore wrote:
> > As some of you have probably been made aware of somehow by now, the
> > Debian openssl package introduced an incorrect change in version
> > 0.9.8c-1, available since September 2007 and distributed with the
> > current stable release "etch", which resulted in the output of the
> > random number generator being predictable, as per CVE-2008-0166.
> >
> > That directly affects openssh, and any key generated on Debian or
> > Debian-derived systems from then until the recent security updates (on
> > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially
> > compromised.
> >
> > It should be obvious from the start that we are exposed to risk by the
> > number of developers we have that use Debian or Ubuntu systems, and we
> > have run individual tests to reach the conclusion that we do, indeed,
> > have this kind of key installed on the GNOME servers. Hence, I regret to
> > inform that key authentication to GNOME machines has been disabled some
> > minutes ago for safety. We will be working into putting mechanisms into
> > place that allow for blacklisting upon authentication, so that the
> > insecure keys are selectively disabled and we can resume normal operation
> > as soon as possible.
> >
> > It is worth noting, however, that, for all we currently know, not all
> > cases can be detected by the algorithms we have, which would make it
> > insufficient to just remove the keys we know to be broken or blacklist
> > them. Therefore, it is EXTREMELY important that, if you think your key
> > has been generated in a system affected by this bug at the time, you
> > have your system updated, regenerate your SSH keys and get them replaced
> > by mailing accounts@....
> >
> > The Infrastructure Team may see a need to go a bit further than I have
> > described in due course, but new announcements will be sent out if that
> > is the case.
> >
> > We are sorry for the inconvenience, and hope not to have to disturb
> > development for long or delay the next tarballs due date.
> >
> > Yours,
> >
> > --
> > Guilherme de S. Pastore
> > The GNOME Sysadmin Team
> > _______________________________________________
> > gnome-hackers mailing list
> > gnome-hackers@...
> > http://mail.gnome.org/mailman/listinfo/gnome-hackers
>
> --
> Regards,
> Olav
> _______________________________________________
> gnome-hackers mailing list
> gnome-hackers@...
> http://mail.gnome.org/mailman/listinfo/gnome-hackers