Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Byron <negentropy@...>
Subject: Re: ssl weak key generation (supposed to effect only debian)
Date: Sat, 17 May 2008 21:10:56 -0400
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Robert Buchholz wrote:
<blockquote cite="mid:200805171315.07254.rbu@g.o" type="cite">
  <pre wrap="">Hi Peter,

On Saturday, 17. May 2008, Peter Schneider-Kamp wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">the recently publicized SSL weak key generation for debian-based systems
(c.f. <a class="moz-txt-link-freetext" href="http://www.debian.org/security/key-rollover/">http://www.debian.org/security/key-rollover/</a>)
has lead our university computing center to retract our
Gentoo-generated SSL keys based on an advisory from the German
DFN cert :-(
    </pre>
  </blockquote>
  <pre wrap=""><!---->
I could not find where these advisories are published on their site, I 
guess they are not publicly distributed.


  </pre>
  <pre wrap="">To think that any distribution is affected, simply 
because they do not publicly state they are not, is a bad habit. 


  </pre>
</blockquote>
&nbsp;&lt; .......&nbsp; &gt;<br>
<br>
<blockquote cite="mid:200805171315.07254.rbu@g.o" type="cite">
  <pre wrap="">Regards,
Robert // Gentoo Security
  </pre>
</blockquote>
<br>
It's something of a "lesser of two evils" situation.&nbsp; In the absence of
evidence either way, the only habit that would be worse is assuming
that any distribution is not affected, simply because they do not
publicly state that they are.&nbsp; Having said that, it's good to know that
apparently Gentoo is not impacted.<br>
<br>
<br>
<br>
</body>
</html>
Replies:
Re: ssl weak key generation (supposed to effect only debian)
-- Raphael Marichez
References:
ssl weak key generation (supposed to effect only debian)
-- Peter Schneider-Kamp
Re: ssl weak key generation (supposed to effect only debian)
-- Robert Buchholz
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: ssl weak key generation (supposed to effect only debian)
Next by thread:
Re: ssl weak key generation (supposed to effect only debian)
Previous by date:
Re: ssl weak key generation (supposed to effect only debian)
Next by date:
Re: ssl weak key generation (supposed to effect only debian)


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.