Debian-based Linux distributions (including Ubuntu)

Category: ALERT
Severity: HIGH
Attention: Administrators of Debian-based Linux Systems.

Summary: Numerous Internet Security resources are currently reporting the existence of two vulnerabilities in Debian-based Linux systems.  One vulnerability affects the Datagram Transport Layer Security (DTLS) protocol and can result in a denial of service condition.  The other vulnerability pertains to predictability in the openSSL package that can result in weak cryptographic key material that is susceptible to brute-force methods.  Updated software packages are available to address these vulnerabilities.

Recommended Actions:   System Administrators are strongly encouraged to read the security advisories (links provided below) and to apply the patches ASAP.  Additionally, regeneration of ALL cryptographic key material is being strongly advised by virtually all Internet security resources that are currently following the evolution of this vulnerability issue.

ITS Actions: N/A

Resources:

SANS Advisory #1:
http://isc.sans.org/diary.html?storyid=4420

SANS Advisory #2:
http://isc.sans.org/diary.html?storyid=4421

Secunia Advisory:
http://secunia.com/advisories/30220/

FrSIRT Advisory:
http://www.frsirt.com/english/advisories/2008/1536

ZDNet Australia Article:
http://www.zdnet.com.au/news/security/soa/Debian-and-Ubuntu-OpenSSL-generates-useless-crypto-keys/0,130061744,339289012,00.htm