View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 10 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
 Post subject: libssl exploit
PostPosted: Wed May 14, 2008 12:02 am 
Offline
Joined: Tue Aug 22, 2006 9:11 am
Posts: 127
Location: Perth
It has come to my attention that there is a security issue with libssl0.9.8 in debian etch.

http://article.gmane.org/gmane.linux.de ... ounce/1614
http://www.securityfocus.com/bid/29179

I can confirm that this is an issue within the Current Release R5F27. For those with boxes available externally and using ssh, as root I suggest doing the following:

Code:
wget http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch3_i386.deb
wget http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch3_i386.deb
dpkg -i libssl0.9.8_0.9.8c-4etch3_i386.deb
dpkg -i libssl-dev_0.9.8c-4etch3_i386.deb


Next you will have to regenerate your keys (as updating the package doesn't do this):

Code:
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server


You may get an error the next time you login into the box using ssh, eg:
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
42:28:ad:36:77:a6:07:58:b8:88:8d:f9:9f:3d:07:3f.
Please contact your system administrator.


That example is using linux to login to the box, just remove the offending key from your known hosts, not sure what the process is for Windows clients. This doesn't affect drive shares etc, just anything to do with ssl.

Also, if you are using passwordless ssh anywhere, you should regenerate those keys (making sure if you've blocked password logins somewhere that you unblock them before doing so, as logging in with a new key afterwards may be a challenge :wink: ).

EDIT: I had to change from using apt to grabbing the packages separately, as the package in apt wasn't quite up to date enough.

_________________
DRM 'manages access' in the same way that jail 'manages freedom.'
_________________
Intel P4 2.6
Intel Desktop Board
2GB DDR400
nVidia 6600GT
Dvico HDTV+
Dvico Dual 4
200GB WD for Swap /boot & /
2x 500GB WD with LVM & XFS for /myth/tv


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 15, 2008 9:41 am 
Offline
Joined: Thu May 11, 2006 7:42 pm
Posts: 34
Works great, thanks for the Instructions.

And interestingly enough, I was able to perform this via SSH remotely.. and restarting the SSH server did _not_ disconnect me.


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 15, 2008 3:44 pm 
Offline
Joined: Sat Feb 11, 2006 5:26 pm
Posts: 282
Location: Winnipeg - Canada
I also performed these steps while logged in via SSH and was not disconnected at any point during the process.

_________________
Currently Running:
Too lazy to update this with my current hardware, I'll redo it during my next install =)


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 15, 2008 7:18 pm 
Offline
Joined: Tue Aug 22, 2006 9:11 am
Posts: 127
Location: Perth
Yeah, that's normal. I did mine from work :P (although my mythbox isn't my gateway, and I had to do 4 other servers as well!)

Glad the instructions were easy enough, I forget I've been working with this stuff for a while now sometimes!!

_________________
DRM 'manages access' in the same way that jail 'manages freedom.'
_________________
Intel P4 2.6
Intel Desktop Board
2GB DDR400
nVidia 6600GT
Dvico HDTV+
Dvico Dual 4
200GB WD for Swap /boot & /
2x 500GB WD with LVM & XFS for /myth/tv


Top
 Profile  
 
 Post subject:
PostPosted: Fri May 16, 2008 7:36 am 
Offline
Joined: Fri Jul 13, 2007 11:21 pm
Posts: 6
Does cecil, or anyone with R5.5 RC, know if it too has the vulnerable OpenSSL package?


Top
 Profile  
 
 Post subject:
PostPosted: Fri May 16, 2008 5:42 pm 
Offline
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location: Arlington, MA
If it does, it won't for long...


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 18, 2008 11:53 pm 
Offline
Joined: Sun Aug 28, 2005 7:07 pm
Posts: 821
Location: Melbourne, Australia
tjc wrote:
If it does, it won't for long...


It's in the list anyway.

Please don't forget to also install the openssh-blacklist package at http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1_all.deb

_________________
*********************
LinHES 7.4
Australian Dragon
*********************


Top
 Profile  
 
 Post subject:
PostPosted: Sun May 25, 2008 12:47 am 
Offline
Site Admin
Joined: Fri Sep 19, 2003 6:37 pm
Posts: 2659
Location: Whittier, Ca
Resolved in R5.5...


Top
 Profile  
 
 Post subject:
PostPosted: Tue May 27, 2008 9:40 pm 
Offline
Joined: Fri Jul 13, 2007 11:21 pm
Posts: 6
Thanks Cecil for getting this in so late in the dev cycle!


Top
 Profile  
 
 Post subject:
PostPosted: Wed May 28, 2008 4:04 am 
Offline
Joined: Wed Mar 26, 2008 10:51 pm
Posts: 9
Location: Fremont, California
Great work~ thanks for the Instructions.


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu