Ubuntu
openssl-blacklist package

compromised key database appears incomplete

Bug #232104 reported by solrize
4
Affects Status Importance Assigned to Milestone
openssl-blacklist (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: openssl-blacklist

I have a Asus EEE PC running the stock Xandros distro from about February. It has the compromised openssl as one would expect, and in fact the ssh key I generated on it did get flagged. But when I generate a 1024 bit rsa key on it with "openssl rsa 1024", it does not get flagged. /usr/bin/openssl on that system is 396416 bytes, md5sum is e8f7de2ae3c9dd561183bffef484d0ab. I typed that manually so if there's a slight discrepancy it's just a typing error. I may try to figure out how that openssl was built so that I can rebuild it from source and run it under gdb.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug. The list was incomplete for big endian machines, and this will be addressed in a future update. I am going to mark this bug as incomplete based on your comments.

Changed in openssl-blacklist:
status: New → Incomplete
Jamie Strandboge (jdstrand)
Changed in openssl-blacklist:
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl-blacklist - 0.3.3+0.4-0ubuntu0.8.04.1

---------------
openssl-blacklist (0.3.3+0.4-0ubuntu0.8.04.1) hardy-security; urgency=low

  * allow checking of certificate requests
  * only check moduli with an exponent of 65537 (the default on Debian/Ubuntu)
  * update gen_certs.sh for when ~/.rnd does not exist when openssl is run
    which can happen with openssl 0.9.8g and higher
  * update gen_certs.sh to use '0' (in case of PID randomization)
  * added more examples
  * only prompt once for password (Closes: #483500)
  * properly cache database reads when bits are same
  * added '-m' and '-b' arguments. This is helpful for applications calling
    openssl-vulnkey when the modulus and bits are known, such as openvpn.
  * man page updates
  * added test.sh
  * added blacklists for when ~/.rnd does not exist when openssl is run
    (LP: #232104)
  * added 512 bit and partial 4096 blacklists (need le64) (LP: #231014)
  * reorganized source databases, and ship the new gen_certs.sh format
  * debian/rules: updated to use new blacklist format and organization
  * create openssl-blacklist-extra package (but don't ship 4096 yet)
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- Jamie Strandboge <email address hidden> Wed, 11 Jun 2008 16:36:27 -0400

Changed in openssl-blacklist:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.