headers
Guus Sliepen | 14 May 2008 15:06
Gravatar

Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages

Hello,

For those who run tinc on Debian or Debian-based distributions like
Ubuntu and Knoppix, be advised that the following security issue affects
tinc as well:

http://www.debian.org/security/2008/dsa-1571

In short, if you generated public/private keypairs for tinc between 2006
and May 7th of 2008 on a machine running Debian or a derivative, they may
have been generated without a properly seeded random number generator.
Please ensure you have updated your OpenSSL packages and regenerate all
suspect keypairs. Do not forget to restart tinc.

If you have compiled a static version of tinc on an affected platform,
you need to recompile tinc to ensure it is statically linked with a
fixed OpenSSL library.

I do not know if the session keys also have been weak, but it is best to
assume they were. If you exchanged private key material via your tinc
VPN, then an eavesdropper may have seen seen this as well. Regenerate
any keying material that you have exchanged via your tinc VPN if any of
the nodes was running on an affected platform.

--

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus@...>

Hello,
(Continue reading)

Permalink | Reply | 1 comment |

Gmane