Zentyal Forum, Linux Small Business Server

News and Announcements => News and Announcements => Topic started by: Javier Amor Garcia on May 20, 2008, 03:02:05 pm

Title: Openssl and Ssh vulnerability
Post by: Javier Amor Garcia on May 20, 2008, 03:02:05 pm
As you may know a vulnerability has been found in recent openssl and
openssh packages in Debian-based distros

http://metasploit.com/users/hdm/tools/debian-openssl/ (http://metasploit.com/users/hdm/tools/debian-openssl/)

In eBox's case only the Ubuntu-based installations are vulnerable. The
older Debian based ones had a correct openssl version.

You firstly need to upgrade to the new openssl and ssh package. You can
use this command to do so:
  apt-get update
  apt-get install openssl ssh

There are two affected eBox components:
 - eBox HTTPS server certificate
 - eBox CA certificates

-eBox HTTPS server certificate
 You might create a new server certificate following those steps:
   - sudo rm -rf /var/lib/ebox/conf/ssl*
   - sudo /usr/share/ebox/ebox-create-certificate
   - sudo /etc/init.d/ebox apache restart

    In the next connection to the web interface, your browser will ask
you about accepting the new certificate


- eBox CA certificates
  There is not a easy fix here, you will need to go to the web interface
and renew the CA. This will renew the CA's certificates.
If you are using the openvpn you will need to distribute the new
certificates and the current connections will be stopped.



As last note I remind you if you that any openssl or ssh certificate
created in a ubuntu-based eBox  is unsafe and you nedd to
revoke/renew/delete it.


Cheers,
  Javier