[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
From:       Dirk-Willem van Gulik <dirkx () webweaving ! org>
Date:       2008-05-19 15:29:02
Message-ID: 269498C9-3C60-4D03-AB3A-D652E8417D95 () webweaving ! org
[Download RAW message or body]


On May 17, 2008, at 1:34 PM, Matteo Vescovi wrote:
>
>> are there updates for this issue for old stable - sarge?
>
> It was said sarge is not affected,

Bear in mind that you still want blacklist support for the various  
tools, not just for the known_hosts and authorized_keys; but also for  
people who move their identify files around, generate the web/mail  
server's their x509 cert (request) on a laptop/off-line prior to  
moving it onto the server and so on*.

Dw.

*: I found about a 1 to 3901 ratio between affected and non-affected  
keys out of about 50k ssh-keys and
    21k x509's (using the not yet complete lists!) in an environment  
which is virtually only Windows,
    MacOSX and FreeBSD. I think it is reasonable to assume that this  
is fairly common - hence you want
    these blacklist tools on a wider range of platforms/OS-es.



-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]