Debian 'fixes' OpenSSL
cornet — Wed, 2008-05-14 03:51
So it would appear that Debian "fixed" a problem in OpenSSL a few years ago. Unfortunately this "fix" has meant that they have had to release this security announcement.
Now this vulnerability is quite bad, so much so that Debian have stated the following:
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.
Ben Laurie has posted a great blog entry as to why this so stupid. This quote from that entry sums the problem up nicely:
Secondly, if you are going to fix bugs, then you should install this maxim of mine firmly in your head: never fix a bug you don’t understand.
