Mailing List Archive: Maemo: Developers

Does Debian OpenSSL problem affect Maemo ?

Index | Next | Previous | View Threaded

advax at triumf

May 16, 2008, 10:17 AM

Post #1 of 6 (3172 views)
Permalink

Does Debian OpenSSL problem affect Maemo ?

Who says reading the comics is a waste of time ?

http://xkcd.com/424/ -> google "debian openssl security" ->

http://metasploit.com/users/hdm/tools/debian-openssl/

etc.

suggesting that any certificates or SSH keys generated on a Debian system in
the last 2 years should be regenerated.

I wondered if Maemo had inherited this problem.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

morpheuz at gmail

May 16, 2008, 10:47 AM

Post #2 of 6 (3090 views)
Permalink

Re: Does Debian OpenSSL problem affect Maemo ? [In reply to]

Hi,

On Fri, May 16, 2008 at 2:17 PM, Andrew Daviel <advax [at] triumf> wrote:
> I wondered if Maemo had inherited this problem.

The advisories says that the versions of openssl affected are
0.9.8c-1 up to 0.9.8g-9. On my tablets, the version installed is 0.9.7

BR,

--
-------------------------------------------------------
Blog: http://labs.morpheuz.eng.br/blog/
PGP: 0xDBEEAAC3 @ wwwkeys.pgp.net
_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

bolsh at gnome

May 16, 2008, 11:39 AM

Post #3 of 6 (3052 views)
Permalink

Re: Does Debian OpenSSL problem affect Maemo ? [In reply to]

Hi,

Andrew Daviel wrote:
> Who says reading the comics is a waste of time ?
>
> http://xkcd.com/424/ -> google "debian openssl security" ->
>
> http://metasploit.com/users/hdm/tools/debian-openssl/
>
> etc.
>
> suggesting that any certificates or SSH keys generated on a Debian system in
> the last 2 years should be regenerated.
>
> I wondered if Maemo had inherited this problem.

For the tablets, I'll take MoRpHeUz'S wOrD.

For maemo.org's infrastructure, garage was taken offline earlier today
and "cleaned" - server keys were regenerated, etc. I don't know if any
of the user keys are vulnerable on there, but I assume Ferenc's got it
under control.

Cheers,
Dave.

--
maemo.org docsmaster
Email: dneary [at] maemo
Jabber: bolsh [at] jabber

_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

eblima at gmail

May 16, 2008, 11:48 AM

Post #4 of 6 (3025 views)
Permalink

Re: Does Debian OpenSSL problem affect Maemo ? [In reply to]

On Fri, May 16, 2008 at 3:39 PM, Dave Neary <bolsh [at] gnome> wrote:
>
> For the tablets, I'll take MoRpHeUz'S wOrD.
>
> For maemo.org's infrastructure, garage was taken offline earlier today
> and "cleaned" - server keys were regenerated, etc. I don't know if any
> of the user keys are vulnerable on there, but I assume Ferenc's got it
> under control.

My key seems to be on the blacklist. I've uploaded some packages
earlier today, but at this very moment I can't do it anymore.
Considering that I must regenerate my key, how should I proceed to get
it working again? I remember of a page somewhere in maemo website
where we were able to submit our public keys, but I can't find it
anywhere....

Best Regars, Etrunko.

--
Eduardo de Barros Lima
INdT - Instituto Nokia de Tecnologia
eblima [at] gmail
_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

eblima at gmail

May 16, 2008, 11:57 AM

Post #5 of 6 (3047 views)
Permalink

Re: Does Debian OpenSSL problem affect Maemo ? [In reply to]

On Fri, May 16, 2008 at 3:48 PM, Eduardo Lima (Etrunko)
<eblima [at] gmail> wrote:
> My key seems to be on the blacklist. I've uploaded some packages
> earlier today, but at this very moment I can't do it anymore.
> Considering that I must regenerate my key, how should I proceed to get
> it working again? I remember of a page somewhere in maemo website
> where we were able to submit our public keys, but I can't find it
> anywhere....
>

Got the address: https://garage.maemo.org/account/index2.php

Best Regars, Etrunko.

--
Eduardo de Barros Lima
INdT - Instituto Nokia de Tecnologia
eblima [at] gmail
_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

anderson.lizardo at gmail

May 16, 2008, 5:11 PM

Post #6 of 6 (3039 views)
Permalink

Re: Does Debian OpenSSL problem affect Maemo ? [In reply to]

On Fri, May 16, 2008 at 1:47 PM, MoRpHeUz <morpheuz [at] gmail> wrote:
> Hi,
>
> On Fri, May 16, 2008 at 2:17 PM, Andrew Daviel <advax [at] triumf> wrote:
>> I wondered if Maemo had inherited this problem.
>
> The advisories says that the versions of openssl affected are
> 0.9.8c-1 up to 0.9.8g-9. On my tablets, the version installed is 0.9.7

AFAIK the actual issue is that keys *generated* on a afftected system
are vulnerable. Therefore, if you happened to generate a
private/public key pair on a host system with the affected openssl
library and added the public key to the device's
/root/.ssh/authorized_keys, then the device is susceptible to remote
brute force attack [1].

Of course this requires the following:

- the device be in RD mode (not sure)
- openssh server package installed and enabled
- you manually copied a vulnerable public SSH key to the device's
/root/.ssh/authorized_keys

[1] http://seclists.org/fulldisclosure/2008/May/0410.html

Regards,
--
Anderson Lizardo
Instituto Nokia de Tecnologia (INdT)
Manaus - Brazil
_______________________________________________
maemo-developers mailing list
maemo-developers [at] maemo
https://lists.maemo.org/mailman/listinfo/maemo-developers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads