Tor security advisory: Debian flaw causes weak identity keys

SUMMARY:
  This is a critical security announcement.

  A bug in the Debian GNU/Linux distribution's OpenSSL package was
  announced today. This bug would allow an attacker to figure out private
  keys generated by these buggy versions of the OpenSSL library. Thus,
  all private keys generated by affected versions of OpenSSL must be
  considered to be compromised.

  Tor uses OpenSSL, so Tor users and admins need to take action in order
  to remain secure in response to this problem.

  If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
  distribution, first follow the instructions at
    http://lists.debian.org/debian-security-announce/2008/msg00152.html
  to upgrade your OpenSSL package to a safe version. If you're running a
  Tor server or a Tor hidden service, then also follow the instructions
  below to replace your Tor identity keys.

  Also, if you are running Tor 0.2.0.x, you must upgrade to Tor
  0.2.0.26-rc.

WHO IS AFFECTED:
  This advisory applies to Tor 0.2.0.x and/or any Debian/Ubuntu/related
  system running _any_ Tor version. Tor clients and servers that are
  running 0.1.2.x and that are not using Debian/Ubuntu/etc don't need
  to do anything.

  Specific versions affected: All Tor 0.2.0.x development versions up
  through 0.2.0.25-rc, and most Debian/Ubuntu/related users regardless of