Home My Page Projects GForge Admin
Summary Activity Lists News

Forum: OpenSSL package bug that compromise SSH keys

Posted by: Sebastien Varrette
Date: 2008-05-15 15:30
Summary: OpenSSL package bug that compromise SSH keys
Project: GForge Admin

This project has not yet categorized itself in the Trove Software Map

Content:

A recent vulnerability of the OpenSSL debian package [2] that affect all cryptographic key material generated with the help of OpenSSL have been discovered recently [1].
It is normally a debian-specific vulnerability (ubuntu is also concerned [3]). Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

In all case, if you are running a debian or ubuntu machine, you should definitively update the openssl package and regenerate your SSH keys together with the SSH keys of the host. This have been done on the gforge machine and that's why you may encounter an error message mentionning "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" when you're now trying to connect by SSH or SVN+SSH to the gforge. The solution in that case is to remove the entry of gforge.uni.lu in your file $HOME/.ssh/known_hosts.
Think also to edit your SSH key on the gforge web site under "My Page/Account Maintenance".

[1] : http://lists.debian.org/debian-security-announce/2008/msg00152.html
[2] : http://www.us.debian.org/security/2008/dsa-1571
[3] : http://www.ubuntu.com/usn/usn-612-1
Latest News

Migration to Fusionforge 6

Hyacinthe Cartiaux - 2015-11-12 18:51 -

Migration to Fusionforge 5 !

Hyacinthe Cartiaux - 2011-11-18 15:16 -

Exceptional Platform Maintenance

Sebastien Varrette - 2009-02-24 18:55 -

Power shutdown

Sebastien Varrette - 2009-01-30 17:39 -

Site maintenance

Sebastien Varrette - 2008-12-18 13:35 -
Monitor Forum | Start New Thread Start New Thread