Linked by Thom Holwerda on Wed 15th Apr 2009 09:54 UTC
Bugs & Viruses Whenever the Conficker worm comes up here on OSNews (or any other site for that matter) there are always a number of people who point their fingers towards Redmond, stating that it's their fault Conifcker got out. While Microsoft has had some pretty lax responses to security threats in the past, it handled the whole Conficker thing perfectly, releasing a patch even before Conficker existed, and pushing it through Windows Update. In any case, this made me wonder about Linux distributions and security. What if a big security hole pops up in a Linux distribution - who will the Redmond-finger-pointing people hold responsible?
Thread beginning with comment 358631
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

When there was found some SSH hole and many exploits appear. I remember than many servers and client computers were exploited.


Link, please.

There was a SSH vulnerability discovered, at one point, I believe it was in Debian, whereby a developer had got "over-zealous" and had "cleaned up" some initialisation code in SSH. This turned out to be the wrong thing to do, because it made the keys less random than they should have been. Because there was no actual error of operation, it took a number of years before this was noticed.

Although many servers and client computers did have this error, I know of not one case where a machine was exploited because of it {EDIT and CORRECTION: see below, more serious breaches than this have occurred at other times, and some systems were compromised}. Remember, all that this error did was reduce the randomness of ssh keys ... meaning that instead of six thousand years for a brute force attack to crack the key, it would instead take only one thousand ... or something like that.

Anyway ... as far as responsibility for fixing it goes ... every single package on Debian has a responsible maintainer.

http://www.debian.org/doc/debian-policy/ch-binary.html#s3.3

So in the case of the ssh package ...

http://packages.debian.org/lenny/openssh-client

... the current package maintainers are:

# Colin Watson
# Matthew Vernon

It is these people who would be responsible for getting a fix for the SSH error(s) for Debian.

Ubuntu and other Debian-based downstream distributions would probably just follow with whatever these people decided would be the fix.

Candidates for fixes to the source code would probably start to arrive from community members within a few hours of a problem such as the ssh error being identified. It would be these two people, for Debian, for the ssh package, who would have the task of evaluating and testing the candidate fixes, and looking for any regressions, and then choosing the best one, and then packaging it as a security update in the repositories.

I'm sure that other distributions would have similar arrangements.

PS: Correcting myself ... it would appear that an SSH hole has appeared more than once.

In 2003

http://www.zdnet.com.au/news/security/soa/SSH-security-glitch-expos...

In 2005

http://www.techworld.com/security/news/index.cfm?newsid=3668

... and possibly other times as well. In 2005 there were cases reported of breaches of some systems.

So fair enough. No software is perfect.

The method of response to such situations is still the same, however. Fixes are normally available within a day or so. Sometimes there is a race between the fix being available and an exploit being ready.

Edited 2009-04-15 11:00 UTC

Reply Parent Score: 5

Surtur Member since:
2009-04-15

There was a SSH vulnerability discovered, at one point, I believe it was in Debian, whereby a developer had got "over-zealous" and had "cleaned up" some initialisation code in SSH. This turned out to be the wrong thing to do, because it made the keys less random than they should have been. Because there was no actual error of operation, it took a number of years before this was noticed.


This is not true. It was not a SSH vulerability but a problem in OpenSSL which therefore *also* influenced OpenSSH. Here is a link: http://www.metasploit.com/users/hdm/tools/debian-openssl/

Although many servers and client computers did have this error, I know of not one case where a machine was exploited because of it {EDIT and CORRECTION: see below, more serious breaches than this have occurred at other times, and some systems were compromised}. Remember, all that this error did was reduce the randomness of ssh keys ... meaning that instead of six thousand years for a brute force attack to crack the key, it would instead take only one thousand ... or something like that.


All the entropy besides the PIDs (and even those are mainly predictable) was thrown out of OpenSSL. To quote an article from "2600" (Volume Twenty-Five, Number Two, Page 52f) that is 1.9 x 10^-32 less keys than before (0.0 thirty-one zeros, 19). To put it in other figures all the remaining hashs (for one hardware plattform) took now 40MB of space instead of 3.7 x 10^32 gigabyte.

But don't get me wrong I use UNIX-like operating systems and Debian is by far my favorite Linux distribution, even after this incident.

Reply Parent Score: 2