• [USN-612-1] OpenSSL vulnerability
• [USN-612-2] OpenSSH vulnerability
• [USN-612-3] OpenVPN vulnerability
  

I can tell you these are really not funny. They really generate a lot of work indirectly. Annoying but doable are things like regeneration SSH keys. The PITA situation is with OpenVPN, looks like we have the push new keys out to all the clients in a few setups. That really deserves a curse or two.

As a special bonus:

Once the update is applied, weak shared encryption keys and
SSL/TLS certificates will be rejected where possible (though
they cannot be detected in all cases). If you are using such
keys or certificates, OpenVPN will not start and the keys or
certificates will need to be regenerated.

Which means I am happy to read security notices. Just updating might result in a broken setup.

If anybody could give extra information on how weak those keys actually are and how easy they are to crack, I would be delighted. In the meanwhile, looking at the amount of servers, I guess I can schedule a teambuilding event where we can mass regenerate keys.

ps. I can tell you I’m quite happy that our backup machines which use SSH+RSYNC for automatic incremental backups are not vulnerable.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Treenaks notes that the OpenSSL libs are not compatible with the GPL and that GNUTLS has an OpenSSL-compatibility layer (but unfortunately is incomplete).

Too bad people write software which use incompatible libs (license wise).

Ah well.. I succesfully rebuild the package with SSL support. Time for my own repository.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.