Guus Sliepen
2008-May-14 13:06 UTC
Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages
Hello, For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: http://www.debian.org/security/2008/dsa-1571 In short, if you generated public/private keypairs for tinc between 2006 and May 7th of 2008 on a machine running Debian or a derivative, they may have been generated without a properly seeded random number generator. Please ensure you have updated your OpenSSL packages and regenerate all suspect keypairs. Do not forget to restart tinc. If you have compiled a static version of tinc on an affected platform, you need to recompile tinc to ensure it is statically linked with a fixed OpenSSL library. I do not know if the session keys also have been weak, but it is best to assume they were. If you exchanged private key material via your tinc VPN, then an eavesdropper may have seen seen this as well. Regenerate any keying material that you have exchanged via your tinc VPN if any of the nodes was running on an affected platform. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20080514/28360fda/attachment.pgp
sich
2008-May-14 14:37 UTC
Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages
Guus Sliepen a ?crit :> Hello, > > For those who run tinc on Debian or Debian-based distributions like > Ubuntu and Knoppix, be advised that the following security issue affects > tinc as well: > > http://www.debian.org/security/2008/dsa-1571 > > In short, if you generated public/private keypairs for tinc between 2006 > and May 7th of 2008 on a machine running Debian or a derivative, they may > have been generated without a properly seeded random number generator. > Please ensure you have updated your OpenSSL packages and regenerate all > suspect keypairs. Do not forget to restart tinc. > > If you have compiled a static version of tinc on an affected platform, > you need to recompile tinc to ensure it is statically linked with a > fixed OpenSSL library. > > I do not know if the session keys also have been weak, but it is best to > assume they were. If you exchanged private key material via your tinc > VPN, then an eavesdropper may have seen seen this as well. Regenerate > any keying material that you have exchanged via your tinc VPN if any of > the nodes was running on an affected platform. >Thanks for this information.... lot of work for me :( Thanks for your job sich
Reasonably Related Threads
- Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages
- Support for ECDSA in OpenSSL?
- Better reporting for signature algorithm mismatch?
- OpenSSH private key encryption: time for AES?
- tinc 1.1 - import