Active Topics
-
Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 3 days, 7 hrs ago -
TLS 1.2 for N9 is ready (28)
to MeeGo / Harmattan by smartblu9 - 3 days, 9 hrs ago -
Maemo repository (3)
to Community by torsen - 4 days ago -
Error after installing Leste on sdcard (11)
to Maemo 7 / Leste by Maemish - 4 days, 22 hrs ago -
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 6 days, 4 hrs ago - more...
|
2008-05-19
, 22:21
|
|
Posts: 1 |
Thanked: 0 times |
Joined on May 2008
|
#2
|
I'm trying to determine this as well.
|
|
2008-05-20
, 20:05
|
|
Posts: 7 |
Thanked: 4 times |
Joined on Nov 2005
|
#3
|
I contacted the package maintainer and received the following response:
According to DSA you've mentioned first vulnerable version of openssl
was 0.9.8c-1.
Fortunately maemo distro has older version - 0.9.7e-4. You can see it
in their pool for maemo4.0/chinook distro, which is used in N810:
http://repository.maemo.org/pool/mae...ree/o/openssl/
You can also check it on your device with dpkg -l openssl command.
So, I think openssh is not affected by this vulnerability.
The dpkg command didn't work for me, but going into redpill mode allowed me to verify that the libssl is 0.9.7e-4.osso2+3sarge3.osso6.
According to DSA you've mentioned first vulnerable version of openssl
was 0.9.8c-1.
Fortunately maemo distro has older version - 0.9.7e-4. You can see it
in their pool for maemo4.0/chinook distro, which is used in N810:
http://repository.maemo.org/pool/mae...ree/o/openssl/
You can also check it on your device with dpkg -l openssl command.
So, I think openssh is not affected by this vulnerability.
The dpkg command didn't work for me, but going into redpill mode allowed me to verify that the libssl is 0.9.7e-4.osso2+3sarge3.osso6.
| The Following User Says Thank You to bitmage For This Useful Post: | ||
 |
|
2008-05-20
, 20:34
|
|
Posts: 14 |
Thanked: 5 times |
Joined on Aug 2006
@ Monroe, La
|
#4
|
Everyone who has generated SSH Keys from any version of OpenSSH should still check to make sure their Keys are not on the blacklist, as any version *could* have used one of those keys randomly. The keys on the list are now considered "weak" because it is known that they occur more frequently, and therefore will be used in brute force attacks.
Links to tools can be found on http://metasploit.com/users/hdm/tools/debian-openssl/ among other places.
Check your keys, check the keys of users on machines you are responsible for, have a better night's sleep.
-r2
Links to tools can be found on http://metasploit.com/users/hdm/tools/debian-openssl/ among other places.
Check your keys, check the keys of users on machines you are responsible for, have a better night's sleep.
-r2
__________________
Nokia 770 OS2008HE 2gig Kingston RS-MMC
Nokia 770 OS2008HE 2gig Kingston RS-MMC
|
|
2008-05-23
, 05:14
|
|
Posts: 52 |
Thanked: 22 times |
Joined on Apr 2008
|
#5
|
I tried dowkd.pl and it said my key was OK (I *think* I generated it on the tablet).
Conversely, I was able to crack a key that dowkd.pl said was weak. BTW, sshd does not log
key attempts unless you set LogLevel=verbose
Conversely, I was able to crack a key that dowkd.pl said was weak. BTW, sshd does not log
key attempts unless you set LogLevel=verbose