[Haifux] More information about latest OpenSSL/OpenSSH/OpenVPN vulnerabilities?

Orr Dunkelman orr.dunkelman at gmail.com
Wed May 14 12:09:28 MSD 2008


So apparently, openssl is using noninitialized memory as one source of
randomness. For some obscure reason (probably valgrind's complaints)
this feature was removed from openssl on debian (ubuntu) machines.

An interesting reading, btw.

On Wed, May 14, 2008 at 12:06 AM, Dotan Cohen <dotancohen at gmail.com> wrote:
> 2008/5/14 Tzafrir Rehan <tzafrir.r at gmail.com>:
> > So apparently all keys were produced using the same random seed?
>  >
>  > That's simply mindblowing!
>  >
>  No, but a finite set of random numbers were used to generate the seed.
>  Basically, if you have two sufficiently similar machines you could
>  create a key on one, examine it, and decode a key produced on the
>  other. This is way over simplified, but it illustrates the point.
>  Any machine using a key generated on an affected machine should be
>  considered vulnerable. Not compromised, but vulnerable. Generate new
>  keys (on slackware :)) and get switching.
>  Dotan Cohen
>  http://what-is-what.com
>  http://gibberish.co.il
>  א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>  A: Because it messes up the order in which people normally read text.
>  Q: Why is top-posting such a bad thing?
> _______________________________________________
>  Haifux mailing list
>  Haifux at haifux.org
>  http://hamakor.org.il/cgi-bin/mailman/listinfo/haifux

Orr Dunkelman,
Orr.Dunkelman at gmail.com

"Any human thing supposed to be complete, must for that reason infallibly
be faulty" -- Herman Melville, Moby Dick.

GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3 2023 6CAB 4A7C B73F D0AA
(This key will never sign Emails, only other PGP keys. The key
corresponds to orrd at vipe.technion.ac.il)

More information about the Haifux mailing list