Stories
Slash Boxes
Comments

SoylentNews is people

FreeBSD Announces: "URGENT: RNG Broken for Last 4 Months"

posted by janrinok on Wednesday February 18 2015, @10:20AM   Printer-friendly
from the update-now! dept.

An Anonymous Coward writes:

A major announcement on the FreeBSD mailing list landed earlier today:

URGENT: RNG broken for last 4 months in the -current branch [...] This means most/all keys generated may be predictable and must be regenerated. This includes, but not limited to, ssh keys and keys generated by openssl. This is purely a kernel issue, and a simple kernel upgrade w/ the patch is sufficient to fix the issue.

Various security companies and blogs are already reporting duplicate keys spotted in the wild. So, patch your systems!.

[Updates: (1) This pertains to the '-current' branch which is not recommended for use on production systems. (2) The statement about "duplicate keys" was in the original submission, but lacks confirmation. If you can confirm/deny, please reply in the comments with a link to the source.]

 
This discussion has been archived. No new comments can be posted.
FreeBSD Announces: "URGENT: RNG Broken for Last 4 Months" | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Informative) by TheRaven on Wednesday February 18 2015, @11:37AM

    by TheRaven (270) on Wednesday February 18 2015, @11:37AM (#146484) Journal
    First, this is only in -CURRENT, it is not in any release. The pre-built images for -CURRENT come with a warning saying 'don't use this in production'. Bugs happen in -CURRENT, that's why it exists - to allow wider testing before things get merged back into a release.

    Second, a big [citation needed] for the 'Various security companies and blogs are already reporting duplicate keys spotted in the wild' - none of them have reported them to the FreeBSD project or on the project's mailing lists...

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Wednesday February 18 2015, @07:55PM

    by Anonymous Coward on Wednesday February 18 2015, @07:55PM (#146655)

    The second one is somewhat right. Shodan's blog is reporting numerous duplicate keys found in ssh installs. However, that does not appear to be related to this PRNG issue.