Eric Anholt (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} anholt) wrote,@ 2008-05-16 12:51:00 |
|
freedesktop.org mess
EDIT: daniels (the guy doing all the work) posted a good summary of what happened to fd.o to announce@, so I'll quote that:
Hi,
Due to the recent Debian OpenSSL trainwreck[0], we've had to do a fair
bit of housecleaning with regards to authentication.
Firstly, the host keys have been regenerated, as below:
root@fruit:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 1e:81:13:df:b9:68:fc:c2:ec:9d:c3:87:d1:5
root@gabe:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 c1:1a:8a:e5:99:ce:5a:d9:a9:e2:b3:95:67:9
root@kemper:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 95:b5:28:3d:9b:37:55:d4:fc:3d:99:b4:06:9
root@annarchy:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 32:3e:0c:df:0a:c8:a6:33:72:9c:6c:ba:68:5
You'll note that these are RSA-only. DSA is no longer supported, nor is
SSH1.
Secondly, all vulnerable keys (weak RSA keys, RSA1 keys, and DSA keys)
have been removed; anyone who had a vulnerable key will have received an
email from myself at whichever address you had in LDAP, explaining what
happened, and how to fix it[1].
annarchy.fd.o (hosting bugs.fd.o, www.x.org, and others) is still having
major issues, thanks to the Moin 1.6 upgrade being unbelievably painful;
thanks very much to Benjamin Close for somehow dealing with this
godawful upgrade, which is running its load average up to 116, and using
up to 7GB of RAM just to convert a wiki from Moin 1.5 to 1.6.
The snakeoil cert from bugs.fd.o is still vulnerable, and feel free to
distrust it just as much as any other snakeoil cert. We'll be getting a
real cert from CAcert[2] soonish, but regenerating our snakeoil in the
meantime.
Thanks for bearing with us; if it's any consolation, it's not been the
best week for admins.
Cheers,
Daniel
[0]: http://lists.debian.org/debian-secu
[1]: http://www.freedesktop.org/wiki/Account
[2]: http://www.cacert.org -- add its certs to your browser if they
aren't there, and don't forget to let your distribution and/or
browser vendor know.
EDIT: daniels (the guy doing all the work) posted a good summary of what happened to fd.o to announce@, so I'll quote that:
Hi,
Due to the recent Debian OpenSSL trainwreck[0], we've had to do a fair
bit of housecleaning with regards to authentication.
Firstly, the host keys have been regenerated, as below:
root@fruit:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 1e:81:13:df:b9:68:fc:c2:ec:9d:c3:87:d1:5
root@gabe:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 c1:1a:8a:e5:99:ce:5a:d9:a9:e2:b3:95:67:9
root@kemper:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 95:b5:28:3d:9b:37:55:d4:fc:3d:99:b4:06:9
root@annarchy:~% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
2048 32:3e:0c:df:0a:c8:a6:33:72:9c:6c:ba:68:5
You'll note that these are RSA-only. DSA is no longer supported, nor is
SSH1.
Secondly, all vulnerable keys (weak RSA keys, RSA1 keys, and DSA keys)
have been removed; anyone who had a vulnerable key will have received an
email from myself at whichever address you had in LDAP, explaining what
happened, and how to fix it[1].
annarchy.fd.o (hosting bugs.fd.o, www.x.org, and others) is still having
major issues, thanks to the Moin 1.6 upgrade being unbelievably painful;
thanks very much to Benjamin Close for somehow dealing with this
godawful upgrade, which is running its load average up to 116, and using
up to 7GB of RAM just to convert a wiki from Moin 1.5 to 1.6.
The snakeoil cert from bugs.fd.o is still vulnerable, and feel free to
distrust it just as much as any other snakeoil cert. We'll be getting a
real cert from CAcert[2] soonish, but regenerating our snakeoil in the
meantime.
Thanks for bearing with us; if it's any consolation, it's not been the
best week for admins.
Cheers,
Daniel
[0]: http://lists.debian.org/debian-secu
[1]: http://www.freedesktop.org/wiki/Account
[2]: http://www.cacert.org -- add its certs to your browser if they
aren't there, and don't forget to let your distribution and/or
browser vendor know.
