Well, seeing as lately my blog is geeking-out over Ubuntu, I may as well add this posting to the list, and it’s a doozy.
If you happen to be a Linux Geek running Ubuntu, Debian, or any of the 40+ related distributions, AND you’ve been hiding under a rock for the past 24 hours, then you should know that there’s a HUGE security vulnerability involving OpenSSL and everything related to it, including SSH. For the non-geekified: this is the stuff required for “secure” web sites to stay secure, and what people typically use to log into systems remotely without their passwords being freely scattered for any hacker to see and exploit.
The problem? The encryption keys used to keep your logins safe and private hinge around seemingly-random numbers that the system must generate. However, sometime in September 2006, a developer got a bit careless and made a revision to the software that suddenly made the random number generator, well, not-so-random. The result? The encryption keys are theoretically easy to guess and decrypt, leaving those once-believed-private transactions very vulnerable and exposed.
Here are the security notices from Debian (here and here), and Ubuntu (here, here and here), the two biggest Linux flavors affected by this security hole. The notices include fixes, and updates are available, but sysadmins need to follow the instructions to make the fix effective.
Of course, there’s are those aforementioned 40+ other known derivatives of these two major Linux distributions that are probably affected, too.
And here’s a statement I never really thought I’d find myself saying: if you use Windows, you have nothing to worry about, because all of this means nothing to you.
P.S.: Yes, this server has been patched. 🙂