Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Raphael Marichez <falco@g.o>
Subject: Re: ssl weak key generation (supposed to effect only debian)
Date: Wed, 21 May 2008 18:37:49 +0200
On Sat, 17 May 2008, Byron wrote:

> It's something of a "lesser of two evils" situation.  In the absence of 
> evidence either way, the only habit that would be worse is assuming that 
> any distribution is not affected, simply because they do not publicly state 
> that they are.  Having said that, it's good to know that apparently Gentoo 
> is not impacted.
>

Hi,

- when a vulnerability has been found inside the package, the package is
vulnerable, it's not claimed to be distro-specific, and by default you
are right in assuming that every distro is affected.

- when a vulnerability has been found in a *distro-specific* patch or
script (or ebuild (or Windows-specific version ) ), the vulnerability is
claimed to reside in the distro scripts, or in the distro patch. So it's
distro-specific.

each linux distribution can not handle every other-distro-specific
vulnerability.  Gentoo has sometimes gentoo-specific vulnerabilities
[1], and Debian too. Debian does not issue any statement that they are
not affected by a Gentoo-specific vulnerability.  No distro does that.
And there would be a lot of other distributions to monitor [2]... That
would really be a mess.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383

[2]
http://distrowatch.com/dwres.php?resource=major
http://distrowatch.com/dwres.php?resource=cd
http://distrowatch.com/dwres.php?resource=firewalls


http://www.debian.org/security/key-rollover/
"In Debian Security Advisory 1571, the Debian Security Team disclosed a
weakness in the random number generator used by OpenSSL on Debian and its
derivatives."

http://lists.debian.org/debian-security-announce/2008/msg00152.html
"Debian-specific: yes"

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
"OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based
operating systems"

If you are unsure about your provider advisory, go and see the original
and official advisories (Debian, Mitre CVE) which are very clear. Then
revoke your contract and change of provider :)

Futhermore, a public RSA weak key (because being created by a vulnerable
Debian openssl) that would have been uploaded to
gentoo:~foo/.ssh/authorized_keys on a Gentoo system would make this
Gentoo system vulnerable to a trivial remote compromise as soon as the
attacker knows the "foo" user login. We can't simply say "be confident,
you are safe because you are using Gentoo". That would be lying. It
depends on your configuration and consequently that's the responsibility
of the root.  There are a lot of similar configuration or user-land
risks, and that's not the purpose of the vulnerability monitoring that
is provided by the GLSA process.

By the way, the gentoo-security@g.o mailing list is obviously the
right place to publicly inform that Gentoo openssl package is not
vulnerable to CVE-2008-0166. Now that's done, thanks to Peter who
firstly asked for it.


cheers,
-- 
Raphael Marichez aka Falco
Gentoo Linux Security Team
Attachment:
pgpEw3yPE4Nue.pgp (PGP signature)
References:
ssl weak key generation (supposed to effect only debian)
-- Peter Schneider-Kamp
Re: ssl weak key generation (supposed to effect only debian)
-- Robert Buchholz
Re: ssl weak key generation (supposed to effect only debian)
-- Byron
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: ssl weak key generation (supposed to effect only debian)
Next by thread:
Security project meeting - Monday, 2008-07-14, 19:00 UTC
Previous by date:
Re: ssl weak key generation (supposed to effect only debian)
Next by date:
Security project meeting - Monday, 2008-07-14, 19:00 UTC


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.