tinc - May 2008 - Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages

Hello,

For those who run tinc on Debian or Debian-based distributions like
Ubuntu and Knoppix, be advised that the following security issue affects
tinc as well:

http://www.debian.org/security/2008/dsa-1571

In short, if you generated public/private keypairs for tinc between 2006
and May 7th of 2008 on a machine running Debian or a derivative, they may
have been generated without a properly seeded random number generator.
Please ensure you have updated your OpenSSL packages and regenerate all
suspect keypairs. Do not forget to restart tinc.

If you have compiled a static version of tinc on an affected platform,
you need to recompile tinc to ensure it is statically linked with a
fixed OpenSSL library.

I do not know if the session keys also have been weak, but it is best to
assume they were. If you exchanged private key material via your tinc
VPN, then an eavesdropper may have seen seen this as well. Regenerate
any keying material that you have exchanged via your tinc VPN if any of
the nodes was running on an affected platform.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20080514/28360fda/attachment.pgp

Guus Sliepen a ?crit :
> Hello,
>
> For those who run tinc on Debian or Debian-based distributions like
> Ubuntu and Knoppix, be advised that the following security issue affects
> tinc as well:
>
> http://www.debian.org/security/2008/dsa-1571
>
> In short, if you generated public/private keypairs for tinc between 2006
> and May 7th of 2008 on a machine running Debian or a derivative, they may
> have been generated without a properly seeded random number generator.
> Please ensure you have updated your OpenSSL packages and regenerate all
> suspect keypairs. Do not forget to restart tinc.
>
> If you have compiled a static version of tinc on an affected platform,
> you need to recompile tinc to ensure it is statically linked with a
> fixed OpenSSL library.
>
> I do not know if the session keys also have been weak, but it is best to
> assume they were. If you exchanged private key material via your tinc
> VPN, then an eavesdropper may have seen seen this as well. Regenerate
> any keying material that you have exchanged via your tinc VPN if any of
> the nodes was running on an affected platform.
>   
Thanks for this information.... lot of work for me :(

Thanks for your job

sich