From mheck at mines.edu Thu May 1 14:36:25 2008 From: mheck at mines.edu (Martin Heck) Date: Thu, 01 May 2008 14:36:25 -0600 Subject: LUG: Linux ISOs for various Distros... Message-ID: <481A29C9.1060308@mines.edu> http://nineoften.mines.edu/linux Some of us in AC&N have been keeping this relatively up-to-date (tho I don't have the Ubuntu 8.04 collection up yet)... and just got a go-ahead to have a wider use of it. Please feel free to reply here with a distro you'd like to see posted (preferably with either a URL or Bittorrent) and we'll see if we can keep it going. Martin -- --- Martin Heck Work & School: mheck at mines.edu Personal: mheck at heck1701.com Alternate: mrheck at gmail.com CSM AC&N Server & Application Support x2345 For Computing Support, please open a request at http://helpdesk.mines.edu From rhicks at Mines.EDU Fri May 16 15:20:00 2008 From: rhicks at Mines.EDU (Robert Hicks) Date: Fri, 16 May 2008 15:20:00 -0600 (MDT) Subject: LUG: [CSM-CERT] US-CERT Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random Number Generator Vulnerability (fwd) Message-ID: Must Ubuntu and Debian users already know about this. What you might not know is that there is a potential that any public keys created by openssl may be weak also. If any of you use public keys, it is best to generate new ones and replace the old, possibly weak, keys stored on whatever machines you access AFTER patching the machine the keys are generated on. :) -- Robert Hicks CTLM East Wing Room 256 1650 Arapahoe Street Academic Computing & Networking Colorado School of Mines Golden, CO 80401 For Academic Computing Support, please open a request at: http://helpdesk.Mines.EDU ---------- Forwarded message ---------- Date: Fri, 16 May 2008 14:18:16 -0400 From: CERT Advisory To: cert-advisory at cert.org Subject: [CSM-CERT] US-CERT Technical Cyber Security Alert TA08-137A -- Debian/Ubuntu OpenSSL Random Number Generator Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-137A Debian/Ubuntu OpenSSL Random Number Generator Vulnerability Original release date: May 16, 2008 Last revised: -- Source: US-CERT Systems Affected * Debian, Ubuntu, and Debian-based distributions Overview A vulnerability in the OpenSSL package included with the Debian GNU/Linux operating system and its derivatives may cause weak cryptographic keys to be generated. Any package that uses the affected version of SSL could be vulnerable. I. Description A vulnerabiliity exists in the random number generator used by the OpenSSL package included with the Debian GNU/Linux, Ubuntu, and other Debian-based operating systems. This vulnerability causes the generated numbers to be predictable. The result of this error is that certain encryption keys are much more common than they should be. This vulnerability affects cryptographic applications that use keys generated by the flawed versions of the OpenSSL package. Affected keys include, but may not be limited to, SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Any of these keys generated using the affected systems on or after 2006-09-17 may be vulnerable. Keys generated with GnuPG, GNUTLS, ccrypt, or other encryption utilities that do not use OpenSSL are not vulnerable because these applications use their own random number generators. II. Impact A remote, unauthenticated attacker may be able to guess secret key material. The attacker may also be able to gain authenticated access to the system through the affected service or perform man-in-the-middle attacks. III. Solution Upgrade Debian and Ubuntu have released fixed versions of OpenSSL to address this issue. System administrators can use the ssh-vulnkey application to check for compromised or weak SSH keys. After applying updates, clients using weak keys may be refused by servers. Workaround Until updates can be applied, administrators and users are encouraged to restrict access to vulnerable servers. Debian- and Ubuntu-based systems can use iptables, iptables configuration tools, or tcp-wrappers to limit access. IV. References * DSA-1571-1 openssl - predictable random number generator - * Debian wiki - SSL keys - * Ubuntu OpenSSL vulnerability - * Ubuntu OpenSSH vulnerability - * Ubuntu OpenVPN vulnerability - Ubuntu SSL-cert vulnerability * Ubuntu OpenSSH update - * Ubuntu OpenVPN regression - * OpenVPN regression - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA08-137A Feedback VU#925211" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History May 16, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSC3OLvRFkHkM87XOAQIY6Qf/RywAJKkMBte71mgV+XKHOFH9yLy+vOGs HlC35oyfpijFSPI1TyYpN9vvpvfhL8DDDG6/dNBt+u1uVskcurb5Rh1UMmpEEFg0 kVGos6JDD18T6JpfgvEY9k+4iVAGApNirEYRDsKFVRho/3CaJQ6Tdp/jf3NEzmNE DPgsEA0n825kBd0dr/v3yT5S9wYsn5x9n6OfyHShXVwYPK/V3jEXbU0uZo0Nt7HX L0FIVTz5tMWIm1LoTsh+GeE0dsnsg/0+qf1jRRq66GQ+3eMGO/wepTbUmqGCXF0s I+O756V/mDxrPePJRNcpCjtGZCEjtMNJ4fZPQhosxbNVPpvDV5rGlQ== =93LZ -----END PGP SIGNATURE----- _______________________________________________ csm-cert mailing list csm-cert at mailman.mines.edu https://mailman.mines.edu/mailman/listinfo/csm-cert Unsubscribe: csm-cert-unsubscribe at mailman.mines.edu