Your message dated Mon, 9 Jun 2008 11:52:20 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#485408: openssh-client: ssh-keygen generates
COMPROMISED keys after recent upgrade
has caused the Debian Bug report #485408,
regarding openssh-client: ssh-keygen generates COMPROMISED keys after recent
upgrade
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
485408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=485408
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: openssh-client
Version: 1:4.3p2-9etch2
Severity: grave
Tags: security
Justification: user security hole
ssh-keygen generates COMPROMISED keys after recent upgrade of etch
Example:
$ ssh -V
OpenSSH_4.3p2 Debian-9etch2, OpenSSL 0.9.8e 23 Feb 2007
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0 [EMAIL PROTECTED]
$ ssh-vulnkey
....
COMPROMISED: 2048 cf:f1:d8:16:c2:2c:bf:db:de:f0:24:75:95:33:92:e0
/home/urban/.ssh/id_rsa.pub
The following OLDER version of ssh seems NOT to exhibit this problem:
$ ssh -V
OpenSSH_4.3p2 Debian-9etch1, OpenSSL 0.9.8c 05 Sep 2006
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/urban/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/urban/.ssh/id_rsa.
Your public key has been saved in /home/urban/.ssh/id_rsa.pub.
The key fingerprint is:
26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51 [EMAIL PROTECTED]
[EMAIL PROTECTED]:~/.ssh$ ssh-vulnkey
....
Not blacklisted: 2048 26:3c:5d:20:96:b6:48:4b:20:80:87:2f:bb:b7:08:51
/home/urban/.ssh/id_rsa.pub
....
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages openssh-client depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.13 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 2.9.cvs.20050518-3 BSD editline and history libraries
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lib 5.5-5 Shared libraries for terminal hand
ii lib 0.9.8e-4 SSL shared libraries
ii pas 1:4.0.18.1-7 change and administer password and
ii zli 1:1.2.3-13 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Mon, Jun 09, 2008 at 09:40:31AM +0000, Urban Braendstroem wrote:
> ssh-keygen generates COMPROMISED keys after recent upgrade of etch
The relevant thing is the version of libssl0.9.8. You have:
> ii lib 0.9.8e-4 SSL shared libraries
It looks like you upgraded to the version from testing or unstable at
some point, but are otherwise still running stable; you haven't been
getting libssl0.9.8 updates for three months. Either downgrade to the
version in stable-security or upgrade to the current version in testing.
Unfortunately it is impractical to add conflicts for this because of the
wide range of versions affected and the numerous fixed branches off
those, in Debian and Ubuntu and quite possibly other Debian-based
distributions.
Regards,
--
Colin Watson [EMAIL PROTECTED]
--- End Message ---
