CentOS - May 2008 - OpenSSL/SSH Bug on Debian - Compromised key pairs

Hi People,

I know this may seem off topic, but I thought for those of us who might 
have Debian users generating key pairs that they put on CentOS systems 
people should be aware that

everybody who generated a public/private keypair or an SSL
cert request on Debian or Ubuntu from 2006 on is vulnerable

http://it.slashdot.org/it/08/05/13/1533212.shtml

Clint Dilks wrote:
> Hi People,
> 
> I know this may seem off topic, but I thought for those of us who might 
> have Debian users generating key pairs that they put on CentOS systems 
> people should be aware that
> 
> everybody who generated a public/private keypair or an SSL
> cert request on Debian or Ubuntu from 2006 on is vulnerable
> 
> http://it.slashdot.org/it/08/05/13/1533212.shtml
> 
I've been following this story too after reading about it on SANS 
Internet Storm Center:

http://isc.sans.org/diary.html?storyid=4414

I wonder how far reaching this is. One wonders if any of the trusted 
root CAs have issued vulnerable certs as a result.

On Thu, May 15, 2008 at 12:20 AM, Clint Dilks <clintd at
scms.waikato.ac.nz> wrote:
> I know this may seem off topic, but I thought for those of us who might
have
> Debian users generating key pairs that they put on CentOS systems people
> should be aware that
>
> everybody who generated a public/private keypair or an SSL
> cert request on Debian or Ubuntu from 2006 on is vulnerable
Yes, it is very important to follow up on this issue as soon as you
can (now) to see if any of your keys or those of your users are
affected. Additionally, it should be noted that in the case of *DSA*
keys, this can even affect users who do have good keys but used them
to communicate with a Debian server with the botched OpenSSL. An
explanation of this problem is provided here:

http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths.html

Take care,
Daniel