Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
News
Security News Archives
2008
May
Security Alert - Widespread Adobe Flash Web Attacks
Security Alert - Debian & Ubuntu Linux Weak Encryption Keys
Security Alert - Fraud Emails - VERIFY YOUR ANDREW.CMU.EDU EMAIL ACCOUNT NOW.
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Training & Education
Technical Support & Services
Campus Partners
Information Security Office (ISO)

Security Alert: Debian & Ubuntu Linux Weak Encryption Keys

Who: Administrators of Debian & Ubuntu Linux Systems ONLY

What:  Debian & Ubuntu Linux Weak Encryption Keys

When:  May 16, 2008

How:
Debian & Ubuntu Weak Encryption Keys Computers running Debian & Ubuntu Linux are vulnerable to exploits.  Users that connect to Debian & Ubuntu Linux servers via SSH are vulnerable.  Users that generated cryptographic material such as SSH keys or SSL certificates on affected systems are also vulnerable.  The most serious of these vulnerabilities may allow malicious attackers to gain unauthorized login access or eavesdrop on encrypted communications.

Note: Computers running Debian Linux 3.1 (sarge) and prior or Ubuntu Linux 6.10 (Edgy Eft) and prior are not affected.

What You Need To Do:

If you use a Debian or Ubuntu Linux system, your system administrator will contact you with necessary actions.

If you suspect your computer has already been compromised, STOP! Read and follow Responding to a Compromised Computer.

If your computer is managed by a Carnegie Mellon departmental computing administrator, please consult that person before making any system changes.

If you administer an affected Debian or Ubuntu Linux system, follow these steps:

  1. Update vulnerable packages.
    Debian 4.0 (etch) or higher
    1. Open a root shell by executing: sudo -s
    2. Upgrade packages by executing: aptitude update && aptitude upgrade
    3. Install new openssh package by executing: aptitude dist-upgrade
    4. When the install prompts to regenerate your OpenSSH host key, choose yes.

    Ubuntu 8.04 (Hardy Heron)
    See Ubuntu 8.04 - Keep your software up to date

    Ubuntu 7.10 (Gutsy Gibbon)
    See Ubuntu 7.10 - Keep your software up to date

    Ubuntu 7.04 (Feisty Fawn)
    See Ubuntu 7.04 - Keep your software up to date

  2. Regenerate any cryptographic material used on or generated on the affected system including material transferred to other computers.
    See Debian Wiki - SSLkeys

  3. Notify users of your affected system that they may also need to regenerate cryptographic material.

Contact:
Please direct any questions or comments to the Computing Services Help Center at x8-HELP (4357) or advisor@andrew.cmu.edu, or to your departmental administrator or DSP consultant.

More Information:
For more technical information, visit the following: