A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.
Basically this means that all SSL-Keys need to be regenerated.
We have already updated all our internal systems and virtual machine images, so all virtual machines built after today are already patched.
For older virtual machines, you have to regenerate the SSH-Keys.
For Debian and Ubuntu machines do the following:
Debian:
aptitude update
aptitude upgrade && aptitude dist-upgrade
Ubuntu 7.10 & 8.04:
aptitude update
aptitude safe-upgrade && aptitude full-upgrade
This will download fixed packages and regenerate the SSH Keys for you.
Because we generate all SSH-Keys on Debian bases systems, even for other distributions, you’ll have to update your SSH-Keys on Fedora, CentOS and ArchLinux as well. On these distributions it’s enough to delete the SSH Keys and then restart the SSH daemon:
rm /etc/ssh/ssh_host_[rd]sa_key
/etc/init.d/ssh restart
For further information, please have a look at the following security advisories:
http://www.debian.org/security/2008/dsa-1571
http://www.ubuntu.com/usn/usn-612-1
http://www.ubuntu.com/usn/usn-612-2
http://www.ubuntu.com/usn/usn-612-3
Also:
http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/
http://wiki.debian.org/SSLkeys
