Warning Bill Robinson! There is a serious security flaw in most of our Debian / Ubuntu based servers!!! http://www.ubuntu.com/usn/usn-612-1 == Who is affected == Systems which are running any of the following releases: * Ubuntu 7.04 (Feisty) * Ubuntu 7.10 (Gutsy) * Ubuntu 8.04 LTS (Hardy) * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8 * Debian 4.0 (etch) (see corresponding Debian security advisory) Now a question. How can we update/regenerate our Open SSL/SSH systems/certificates? I my self have just built a nice ISPConfig system with chrooted SSH on Ubuntu 8.04.
1) Install all available SSL related updates from your linux distribution. 2) Recreate the ISPConfig SSL Cert for port 81: http://www.howtoforge.com/forums/showpost.php?p=358&postcount=4 3) Recreate the SSL certs for the websites in ISPConfig by going to the website settings and select "Create" as action. Be aware that this will create a new self signed certificate and you will have to sign it again by an SSL authority afterwards. 4) Recreate all SSH keys and certs that you use on your system. I diont have the exact steps at hand, but I guess you will find them in current threads that are related to this issue in the debian and ubuntu forums. 5) Recreate the sl certs from postfix (see perfect setup guide) 6) Recreate the ssl certs for courier or dovecot, if you use ssl encrypted connections.
Does this mean that we will have to purchase new certificates? When logging into my SSL signer, my options are revoke or reissue.
Please NOTE that not only debian/debian based systems are affected, any system that is using keys that were generated on a vulnerable system is affected. Given the number of users that use ubuntu based desktop systems am guessing there a ton of servers and other network devices out there that are now at risk of compromise just because debian always wants to do their own thing.
Yes, thank you for pointing that out topdog. A lot of people think that just because their server isn't a debian based server they don't have anything to worry about. If they made the key on their personal ubuntu/debian box they have to re-key it!
Ok, here goes. Ubuntu 8.04 This will upgrade the packages that have newer versions available, and install any new dependencies which are required to do that. It also wanted to reinstall the apparmor. (I removed it afterwards.) You will see a blue screen that sais... After this I redid Postfix Redoing the mail certs you should look up in here. Now I'm wondering if I still have remake the chrooted SSH I have running here?
The key regeneration as stated with the update does not seem to work, my ssh keys where not recreated i had to go create new keys and post them to all servers where my public keys is. Right now i think the biggest threat is with ssh,openvpn openswan/freeswan/strongswan keys as these allow access to networks and devices.
For SSH you can get all the possible RSA (2048) / DSA (1024) keys that could be generated on a vulnarable system here http://metasploit.com/users/hdm/tools/debian-openssl/ meaning anybody has assess to your private key