OpenVPN announcements

headers James Yonan | 15 May 18:27

OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a 
random number generator that generates predictable numbers, which makes 
it easier for remote attackers to conduct brute force guessing attacks 
against cryptographic keys.   This vulnerability only affects 
Debian-based distributions and does not affect any Red Hat distributions.

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166

How this affects OpenVPN:

Any keys which were generated on the vulnerable distributions (Debian, 
Ubuntu, Kubuntu) using openvpn --genkey or the easy-rsa scripts should 
be considered compromised, since the security of each of these 
operations would depend on the quality of the randomness provided by the 
underlying OpenSSL library.  You would want to revoke these keys, and 
rebuild them after having applied the fix.

James

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mon	Tue	Wed	Thu	Fri	Sat	Sun

			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

1	December 2011
1	July 2011
1	April 2011
2	March 2011
1	December 2010
1	November 2010
1	August 2010
1	December 2009
1	November 2009
1	May 2009
1	September 2008
1	August 2008
1	May 2008
1	January 2008
1	October 2006
2	September 2006
1	April 2006
1	November 2005
2	August 2005
1	April 2005
1	May 2004
1	December 2003
2	November 2003
1	October 2003
1	August 2003
2	July 2003
3	May 2003

OpenSSL vulnerability on Debian-based systems CVE-2008-0166