bitmage | # 1 | 2008-05-19, 21:14 | Report

Is the OpenSSH client for the N810 (1:4.7p1-2.maemo2 on mine) affected by the Debian ssl bug?

johnschl | # 2 | 2008-05-19, 22:21 | Report

I'm trying to determine this as well.

bitmage | # 3 | 2008-05-20, 20:05 | Report

I contacted the package maintainer and received the following response:

According to DSA you've mentioned first vulnerable version of openssl
was 0.9.8c-1.
Fortunately maemo distro has older version - 0.9.7e-4. You can see it
in their pool for maemo4.0/chinook distro, which is used in N810:
http://repository.maemo.org/pool/mae...ree/o/openssl/

You can also check it on your device with dpkg -l openssl command.

So, I think openssh is not affected by this vulnerability.


The dpkg command didn't work for me, but going into redpill mode allowed me to verify that the libssl is 0.9.7e-4.osso2+3sarge3.osso6.

r2d2rogers | # 4 | 2008-05-20, 20:34 | Report

Everyone who has generated SSH Keys from any version of OpenSSH should still check to make sure their Keys are not on the blacklist, as any version *could* have used one of those keys randomly. The keys on the list are now considered "weak" because it is known that they occur more frequently, and therefore will be used in brute force attacks.

Links to tools can be found on http://metasploit.com/users/hdm/tools/debian-openssl/ among other places.

Check your keys, check the keys of users on machines you are responsible for, have a better night's sleep.

-r2

adaviel | # 5 | 2008-05-23, 05:14 | Report

I tried dowkd.pl and it said my key was OK (I *think* I generated it on the tablet).
Conversely, I was able to crack a key that dowkd.pl said was weak. BTW, sshd does not log
key attempts unless you set LogLevel=verbose