Advisory nomor DSA-1571-1 dari Debian sangat mengejutkan
It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.Masalahnya, boleh jadi kita harus meng-generate ulang sekian banyak key.
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected.
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.
Untuk membantu menguji kekuatan key kita, akan ada tool yang dapat diunduh dari:
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc (OpenPGP signature)
Sedangkan instruksi untuk rollover key untuk berbagai paket akan dipublikasikan di:
http://www.debian.org/security/key-rollover/
Pengguna distro lain tidak perlu khawatir, karena masalah ini spesifik Debian. Apakah Ubuntu terpengaruh? Akan segera saya periksa.
update 20080513 22:19 Ubuntu juga terkena masalah ini




