Gentoo Archives: gentoo-security

From: Byron <negentropy@×××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] ssl weak key generation (supposed to effect only debian)
Date: Sun, 18 May 2008 01:11:39
Message-Id: 482F8220.7090207@verizon.net
In Reply to: Re: [gentoo-security] ssl weak key generation (supposed to effect only debian) by Robert Buchholz
1 Robert Buchholz wrote:
2 > Hi Peter,
3 >
4 > On Saturday, 17. May 2008, Peter Schneider-Kamp wrote:
5 >
6 >> the recently publicized SSL weak key generation for debian-based systems
7 >> (c.f. http://www.debian.org/security/key-rollover/)
8 >> has lead our university computing center to retract our
9 >> Gentoo-generated SSL keys based on an advisory from the German
10 >> DFN cert :-(
11 >>
12 >
13 > I could not find where these advisories are published on their site, I
14 > guess they are not publicly distributed.
15 >
16 >
17 >
18 > To think that any distribution is affected, simply
19 > because they do not publicly state they are not, is a bad habit.
20 >
21 >
22 >
23 < ....... >
24
25 > Regards,
26 > Robert // Gentoo Security
27 >
28
29 It's something of a "lesser of two evils" situation. In the absence of
30 evidence either way, the only habit that would be worse is assuming that
31 any distribution is not affected, simply because they do not publicly
32 state that they are. Having said that, it's good to know that
33 apparently Gentoo is not impacted.

Replies