VectorLinux
November 24, 2014, 01:14:17 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1] 2
  Print  
Author Topic: Debian OpenSSL security hole  (Read 3032 times)
easuter
Global Moderator
Vectorian
*****
Posts: 2160



« on: May 17, 2008, 04:06:48 am »

Debian and derivative distros (Ubuntu, Xandros and all the others...) are affected by a security vulnerability in the OpenSSL package that Debian distributes.
The problem isn't with OpenSSL itself, but rather with the modifications that Debian devs made to the source code.

Basically, they removed the pseudo random number generator making any keys predictable....but hey, at least Valgrind stopped complaining right?  Roll Eyes

http://www.debian.org/security/2008/dsa-1571

If you have any keys generated on a Debian box, remove them because they can easily be cracked with brute-force attacks.
Metasploit is already circulating the tools (surprise!):

http://metasploit.com/users/hdm/tools/debian-openssl/

« Last Edit: May 17, 2008, 05:02:32 am by easuter » Logged

Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #1 on: May 17, 2008, 04:39:17 am »

hahaha they suck
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
nightflier
Administrator
Vectorian
*****
Posts: 4029



« Reply #2 on: May 17, 2008, 04:01:10 pm »

Debian's stumble gives me no pleasure, quite the contrary. They are a big part of the Linux ecosystem and we can thank them for huge contributions to the community.
Logged
exeterdad
Packager
Vectorian
****
Posts: 2046



« Reply #3 on: May 17, 2008, 08:54:57 pm »

No pleasure here either.  Linux bashers see Linux as a whole, not distributions.  Debian is a "Big Dog", hailed as being solid.  This is a blow, makes us all look like idiots.  I see Debian has quickly offered fixes.  But all those keys generated since 2006 need redone.  Many of which require resigned by a authority.  Those don't come cheap.  The end user has to flip the bill.  I can't even imagine the overall cost those omitted few lines cost.  Undecided
Logged
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #4 on: May 17, 2008, 10:21:10 pm »

I find it hard to believe they would do something so stupid
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
easuter
Global Moderator
Vectorian
*****
Posts: 2160



« Reply #5 on: May 18, 2008, 04:52:24 am »

Debian's stumble gives me no pleasure, quite the contrary. They are a big part of the Linux ecosystem and we can thank them for huge contributions to the community.

Me neither, but when I heard that they simply commented out the code for the PRNG instead of actually finding out if Valgrind was just giving a bogus report, well....I had the same thought as hanumizzle.

I guess its also the kind of mistake that you learn from, after such serious repercussions they probably wont do it again...
Logged

bigpaws
Vectorian
****
Posts: 1857


« Reply #6 on: May 18, 2008, 06:35:02 am »

Quote
I find it hard to believe they would do something so stupid

This has been practice in Debian for years. Usually patches or fixes
are reviewed. This is a disaster for anyone that has interfaced with a
Debian key. This is what testing was for, at least I thought so.
Let the auditing begin.

This is the perfect example why Slackware runs almost vanilla settings.

The distributions that are doing heavy patching are the ones that create
this type of mess. The process should be create a fix for a problem, apply
for the fix to be added. If it is denied fix until it is approved. That creates a
nice tracking system. Then all distro's will be able to boast the same
hardware support. This process will also give credibility to Linux, which is
needed. May the result be that some people wakeup.

This is one of the faults noted by the BSD group. The BSD group is slower
at development. The approach is to fix the problem, then prove it is fixed.

Bigpaws

Logged
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #7 on: May 18, 2008, 06:36:19 am »

Maybe they should just report the fixes to the original maintainers of the software so everyone is on the same page. Red Hat/Fedora has been known to be gratuitously incompatible with other dists because of all the ridiculous patching they do
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
rbistolfi
Packager
Vectorian
****
Posts: 2290


« Reply #8 on: May 18, 2008, 06:45:38 am »

I am not happy of course. I think this is a big mistake from Debian and will affect other Linux distros as well. If you are going to patch software systematically -which is from the beginning a bad practice- should be to add security, not the opposite Tongue
IMHO, bigger the code, more complex the development process, more chances for a bug. We actually want to reduce the probability of a mistake, not increase it  Roll Eyes

PS: That looks like a really stupid mistake indeed.
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #9 on: May 18, 2008, 07:58:32 am »

So basically

Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
tomh38
Vectorian
****
Posts: 913



« Reply #10 on: May 19, 2008, 05:29:10 am »

I'm putting this one on here for you, EFG:

Epic Fail

EDIT:  The link is a reference to your nick and to the Debian security problem, as well as to the pic you posted, not to you failing in any way, Epic Fail Guy.
« Last Edit: May 19, 2008, 05:46:40 am by tomh38 » Logged

"I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones." - Linus Torvalds, April 1991
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #11 on: May 19, 2008, 08:32:02 am »

I'm putting this one on here for you, EFG:

Epic Fail

EDIT:  The link is a reference to your nick and to the Debian security problem, as well as to the pic you posted, not to you failing in any way, Epic Fail Guy.

I'm at a public library now and I was able to use the Dong Tai Wang site to look at the picture. I think that's some pro-Chinese democracy site hosted here in the US but I can't be sure because I know like two Chinese characters. So that's one win.

But yeah otherwise I pretty much fail at everything. My lack of win is disturbing.
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
Will
Vectorite
***
Posts: 175


« Reply #12 on: May 19, 2008, 08:32:33 am »

Security holes like this were bound to happen eventually. However lets compare and contrast a bit. Yes this is a bad thing, I'm not trying to make light of that. However how many Bad Things keep cropping up and make the news with windows security?
Logged
BlueMage
Vectorite
***
Posts: 274



« Reply #13 on: May 19, 2008, 03:24:26 pm »

Security holes like this were bound to happen eventually. However lets compare and contrast a bit. Yes this is a bad thing, I'm not trying to make light of that. However how many Bad Things keep cropping up and make the news with windows security?

Um, practically none?  a) because everyone expects Windows security to be lacklustre and therefore having that proven true isn't newsworthy (hence the massive shitstorm over Vista - Windows with something like proper security measures in place?  UNHEARD OF!) and b) the actual incidence of such severe security breaches has been decreasing at a steady level - most remote compromises now require the user to undertake a specific set of activities which opens a specific hole, with the most easily exploited having been patched quite some time ago.

So yeah, this is considerably worse than some random remote compromise in Windows - in the effect it can have and the possible damage to reputation of Linux in general.
Logged

Acer Laptop:  Vector 5.8 SOHO Final & Windows XP Professional & USB (still alive!)
Compaq POS (almost dead): Vector 5.9 Light Beta 5
Quad-core BEAST: Win 7 Ultimate 64-bit & Vector 5.9 64-bit beta-2
Old 500MHz media box:  Vector 5.8 SOHO Final (dead)
701 EeePC:  Puppeee (based on Puppy 4.01)
Triarius Fidelis
Vecteloper
Vectorian
****
Posts: 2399


Domine, exaudi vocem meam


WWW
« Reply #14 on: May 19, 2008, 10:00:08 pm »

So yeah, this is considerably worse than some random remote compromise in Windows - in the effect it can have and the possible damage to reputation of Linux in general.

Why is it that most of the people who make choices like "Use x software? [ ] yes [ ] no" are the people who are too dumb to know things like 'Debian =/= Linux'? Why? Why?

Incidentally, I'm on Vista now at home (haven't bothered to hook up my comp yet). What a turd-burger. The network connection shat itself for some reason and it took Vista like 10 minutes of thrashing just so I could reset it. It's not even out of real memory (although it's damn close), so I have no idea what would cause it to run so agonizingly slow. I miss Ex Pee.
Logged

"Leatherface, you BITCH! Ho Chi Minh, hah hah hah!"

Formerly known as "Epic Fail Guy" and "Döden" in recent months
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!