Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages
sich
sich at cafe-philo.net
Wed May 14 16:37:03 CEST 2008
Guus Sliepen a écrit :
> Hello,
>
> For those who run tinc on Debian or Debian-based distributions like
> Ubuntu and Knoppix, be advised that the following security issue affects
> tinc as well:
>
> http://www.debian.org/security/2008/dsa-1571
>
> In short, if you generated public/private keypairs for tinc between 2006
> and May 7th of 2008 on a machine running Debian or a derivative, they may
> have been generated without a properly seeded random number generator.
> Please ensure you have updated your OpenSSL packages and regenerate all
> suspect keypairs. Do not forget to restart tinc.
>
> If you have compiled a static version of tinc on an affected platform,
> you need to recompile tinc to ensure it is statically linked with a
> fixed OpenSSL library.
>
> I do not know if the session keys also have been weak, but it is best to
> assume they were. If you exchanged private key material via your tinc
> VPN, then an eavesdropper may have seen seen this as well. Regenerate
> any keying material that you have exchanged via your tinc VPN if any of
> the nodes was running on an affected platform.
>
Thanks for this information.... lot of work for me :(
Thanks for your job
sich
More information about the tinc
mailing list