[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: OpenSSL vulnerability (was: Problem after Debian upgrade)
On Fri, May 16, 2008 at 10:51:01PM +1000, tainaron@xxxxxxxxxxxxxxxx wrote:
> Hi,
>
> Colin wrote:
> > I just upgraded my Debian Testing box which included an other python
> > upgrade.
>
> Are you referring to the OpenSSL random number generator vulnerability
> [1] discovered this week?
>
> 1. http://lists.debian.org/debian-security-announce/2008/msg00152.html
>
> Either way, I'd guess this affects mixminion keys as well, so Debian
> node admins should check this out.
Right. The correct response to the OpenSSL rng bug for mixminion
servers is:
1. If were never running an affected version of Debian, stop here.
You're done.
2. Upgrade. Upgrade at least your openssl.
3. If your keys were not generated by an affected version of Debian,
stop here. You're done.
4. If your identity key was not generated by an affected version of
Debian, but your current mix keys were, then stop your server, run
mixminion server DELKEYS, and restart. [This might happen if you
started your server before the bug was introduced, but you've been
running bad openssls recently.] Now you're done.
5. If your identity key was generated by an affected version of
openssl, you need to become a new server. The easiest way to do
this is to start again with a new server data directory, new
ports, a new nickname, and everything. Let me know you're doing
this, and I'll tell the directory to unrecommend your old server
and accept your new one.
yrs,
--
Nick