Impact of the Debian OpenSSL Vulnerability On other Linux Distribution

last updated June 23, 2008 in CentOS, Debian Linux, Linux distribution, OpenBSD, package management, RedHat/Fedora Linux, Security, Security Alert, Ubuntu Linux, UNIX, Windows, Windows server, windows vista

There was random number generator vulnerability in Debian OpenSSL package and similar packages in derived distributions such as Ubuntu / others. Many of our regular readers would like to know:

Can bug present in the Debian OpenSSL packages affect Red Hat / FreeBSD / CentOS Linux workstation / server users?

Short answer, yes.

All keys generated using Debian OpenSSL package must be replaced on other system including FreeBSD / CentOS / RHEL etc as all keys considered as compromized. OpenSSL, OpenSSH and OpenVPN are badly effected. For example, if you use OpenSSH key to get into other Linux / UNIX servers and if key-pair is generated with a vulnerable OpenSSL library, you are at the risk as the key can be reproduced easily.

Bottom, line you need to update keys on other boxes too.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

1 comment

Balakrishnan says:
December 22, 2010 at 1:11 pm
1.Medium issue :- SSL Cookie not used(4720)
2.SSLv3/TLS Renogotiation Stream Injection
Can anyone tell me how this vulnerability happens…..
Can anyone suggest any open source scanning device which shows these type of vulnerabilities?

Have a question? Post it on our forum!

Tagged as: CentOS, cve-2008-0166, debian, FreeBSD, Linux, Linux distribution, openssl, openssl library, openssl package, random number generator, rhel, ubuntu, UNIX