Mailing List Archive: Maemo: Developers

OpenSSH vulnerability and maemo extras upload accounts.

Index | Next | Previous | View Threaded

niels at maemo

May 16, 2008, 1:06 PM

Post #1 of 7 (685 views)
Permalink

OpenSSH vulnerability and maemo extras upload accounts.

Hi,

Recently a security issue has been found in Debian\'s implementation
of OpenSSH as per CVE-2008-0166.

That directly affects openssh, and any key generated on Debian or
Debian-derived systems from then until the recent security updates (on
Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially
compromised.

We have mailed and disabled the keys for all people believed to have a
compromised key, but it is possible that we didn't detect every key.

If you have uploaded your key to garage.maemo.org and you believe this
affects you: Please update your own version of OpenSSH and
after that please re-generate a ssh key.

You can replace your ssh key here:
https://garage.maemo.org/account/index2.php

If you have any questions, please feel free to contact me.

We are sorry for the inconvenience caused by this.

--
Niels Breet
maemo.org webmaster

_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

olle at nxs

May 17, 2008, 4:20 AM

Post #2 of 7 (641 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

On Fri, May 16, 2008 at 10:06:40PM +0200, Niels Breet wrote:
>
> Recently a security issue has been found in Debian\'s implementation
> of OpenSSH as per CVE-2008-0166.

That should be OpenSSL, although OpenSSH uses OpenSSL for key creation.

> That directly affects openssh, and any key generated on Debian or
> Debian-derived systems from then until the recent security updates (on
> Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially
> compromised.

"then" being 0.9.8c-1 released 17 Sep 2006. If your key is older
than that you are not affected by this issue.

> If you have uploaded your key to garage.maemo.org and you believe this
> affects you: Please update your own version of OpenSSH and
> after that please re-generate a ssh key.

Again, please update your _OpenSSL_ library to current patchlevel.

/olle
_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

lool at dooz

May 17, 2008, 2:26 PM

Post #3 of 7 (626 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

On Sat, May 17, 2008, olle wrote:
> > That directly affects openssh, and any key generated on Debian or
> > Debian-derived systems from then until the recent security updates (on
> > Debian, versions 0.9.8c-4etch3 or 0.9.8g-9) is deemed potentially
> > compromised.
>
> "then" being 0.9.8c-1 released 17 Sep 2006. If your key is older
> than that you are not affected by this issue.

You are if you used your keys with an affected OpenSSL.

--
Loīc Minier
_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

olle at nxs

May 20, 2008, 12:41 AM

Post #4 of 7 (603 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

On Sat, May 17, 2008 at 11:26:44PM +0200, Loīc Minier wrote:
> >
> > "then" being 0.9.8c-1 released 17 Sep 2006. If your key is older
> > than that you are not affected by this issue.
>
> You are if you used your keys with an affected OpenSSL.

No. If your key was generated before the bug was introduced, it is
most definately not affected. You could potentially still have a
problem if you use your (non predictable) key with a signature
scheme like DSA that needs randomness, though.

/olle
_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

lool at dooz

May 20, 2008, 12:57 AM

Post #5 of 7 (601 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

On Tue, May 20, 2008, olle wrote:
> > > "then" being 0.9.8c-1 released 17 Sep 2006. If your key is older
> > > than that you are not affected by this issue.
> >
> > You are if you used your keys with an affected OpenSSL.
>
> No. If your key was generated before the bug was introduced, it is
> most definately not affected. You could potentially still have a
> problem if you use your (non predictable) key with a signature
> scheme like DSA that needs randomness, though.

If you use a *RSA* key generated before the bug was introduced, you
might not be affected, but if you used a *DSA* key on an affected
system, you are affected, even if it was generated 5 years ago.

I wanted to correct the statement "If your key is older than that you
are not affected by this issue.": there is no age limit at least for
some keys. When in doubt, people should please check upstream
resources such as: <http://wiki.debian.org/SSLkeys>.

Thanks,
--
Loīc Minier
_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

bolsh at gnome

May 20, 2008, 1:20 AM

Post #6 of 7 (601 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

Hi Olle,

olle wrote:
> No. If your key was generated before the bug was introduced, it is
> most definately not affected. You could potentially still have a
> problem if you use your (non predictable) key with a signature
> scheme like DSA that needs randomness, though.

On a server, you have your private SSH key, and someone else adds an
infected public SSH key to authorized_keys. By induction, your key is no
longer trustworthy, since someone could have connected to your server
via the untrustworthy key.

As I understand it, this is the problem with "vulnerable by induction".
I could be wrong, of course.

Cheers,
Dave.

--
maemo.org docsmaster
Email: dneary[at]maemo.org
Jabber: bolsh[at]jabber.org

_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

lool at dooz

May 20, 2008, 2:40 AM

Post #7 of 7 (600 views)
Permalink

Re: OpenSSH vulnerability and maemo extras upload accounts. [In reply to]

On Tue, May 20, 2008, Dave Neary wrote:
> On a server, you have your private SSH key, and someone else adds an
> infected public SSH key to authorized_keys. By induction, your key is no
> longer trustworthy, since someone could have connected to your server
> via the untrustworthy key.

That's pushing quite far; however if you have been using a private DSA
key with a weak openssl at any time, you should drop it for sure, and
you should drop all keys generated with a borken openssl. See
<http://wiki.debian.org/SSLkeys>.

I'd also recommend all servers to upgrade to a version of OpenSSH which
allows rejecting vulnerable keys and to scan authorized_keys file for
such keys.

--
Loīc Minier
_______________________________________________
maemo-developers mailing list
maemo-developers[at]maemo.org
https://lists.maemo.org/mailman/listinfo/maemo-developers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com