Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages

Guus Sliepen guus at tinc-vpn.org
Wed May 14 15:06:42 CEST 2008


Hello,

For those who run tinc on Debian or Debian-based distributions like
Ubuntu and Knoppix, be advised that the following security issue affects
tinc as well:

http://www.debian.org/security/2008/dsa-1571

In short, if you generated public/private keypairs for tinc between 2006
and May 7th of 2008 on a machine running Debian or a derivative, they may
have been generated without a properly seeded random number generator.
Please ensure you have updated your OpenSSL packages and regenerate all
suspect keypairs. Do not forget to restart tinc.

If you have compiled a static version of tinc on an affected platform,
you need to recompile tinc to ensure it is statically linked with a
fixed OpenSSL library.

I do not know if the session keys also have been weak, but it is best to
assume they were. If you exchanged private key material via your tinc
VPN, then an eavesdropper may have seen seen this as well. Regenerate
any keying material that you have exchanged via your tinc VPN if any of
the nodes was running on an affected platform.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.tinc-vpn.org/pipermail/tinc/attachments/20080514/28360fda/attachment.pgp 


More information about the tinc mailing list