Debian OpenSSL Vulnerability

May 13, 2008

On May 13, 2008, the Debian project announced that an update to Debian's OpenSSL package in 2006 contains a vulnerability that can weaken the system's random number generator, making SSH and SSL encryption and authentication predictable.

Patch Debian & Use Issuance Insurance

The vulnerability is specific to Debian and does not affect other non-Debian operating systems. However a non-Debian system can be affected if they are using cryptographic keys from an affected Debian system.

Debian has made a patch available, however the patch is only capable of preventing the vulnerability going forward and does not remove a previous occurrence. Therefore for those Debian systems starting with version 0.9.ec-1, it is highly recommended to recreate from scratch any cryptographic key material that has been generated with OpenSSL. For additional information on the vulnerability and information regarding the patch, please see the following Debian security advisory DSA-1571-1.

To correct this issue, follow these steps :

1. Download and install the Debian patch provided in the Debian security advisory DSA-1571-1.

2. Replace all affected SSL Certificates. GeoTrust® is providing revocation and replacement of SSL Certificates for a limited time at no charge for those GeoTrust® customer's affected by this vulnerability. When generating the new Certificate Signing Request, it is important to ensure the certificate information (Distinguished Name) is identical to the information on the existing certificate.

3. If you have a RapidSSL®, GeoTrust® or Thawte® SSL Certificate please visit the GeoTrust website by Clicking Here to use Issuance Insurance free of charge.

4. If you are unsure if you are affected, Click Here to use the weak key detector published by Debian.

Note : Free issuance insurance will only be granted to affected customers.