Some pretty bad news from the Debian team. Apparently, a change made to the bundled version of OpenSSL has made key generation predictable. The issue is severe enough that the Debian team recommends you consider all affected keys compromised and regenerate them ASAP.

If you have been using any Debian distro (which includes Ubuntu) to generate SSL or SSH key material, check your version of OpenSSL. If you have 0.9.8c-1 or later, then you are affected.

Also keep in mind, any signatures made by compromised keys should be considered untrusted. As such, once you generate your new keys, you should notify anyone who you have acted as a signatory, and resign with your new material.

Read the official announcement from the Debian team here. There is also a Slashdot discussion you can take part in here too.

Share

If you enjoyed this post, please pass it on to the following communities:

  • del.icio.us
  • Digg
  • Reddit
  • DZone
  • Technorati
  • NewsVine
  • Slashdot