Dear GridPP users, system administrators and Site managers,
Some of you have raise some concerns with regard to the Debian/Ubuntu
openssl security flaw, especially to the UK eScience Root certificate which
has been, unfortunately, affected by the openssl vulnerability. Some of you
pointed out that there is inconsistence between this security advisory:
http://www.grid-support.ac.uk/content/view/343/184/ and the OSCT alert
(http://cern.ch/osct/alerts/openssl-16-05-2008.txt
<https://owa.rl.ac.uk/exchweb/bin/redir.asp?URL=http://cern.ch/osct/alerts/o
penssl-16-05-2008.txt> ) with regard to UK eScience Root certificate.
A short answer for it is that there is no inconsistence. The only affected
certificate by the openssl vulnerability is the Root certificate (which is
the root of trust and only issue ONE eScience CA certificate). The eScience
CA certificate (which is the one signed and issued users' certificates and
host certificates) is *NOT* affected by the openssl vulnerability therefore
the keypair of the eScience CA certificate is still valid and safe. A
separate security advisory with more detailed information will be available
shortly after.
+++++++++++++++++++++++++++++
Please read below information carefully!
+++++++++++++++++++++++++++++
"What I should do with regard to UK Root certificate issue specially and the
openssl vulnerability generally?"
For UK eScience Root Certificate
========================
--End users:
Please wait for the second security advisory, expected to be release on
Monday 19 May (quick tip: you need to remove the old UK eScience Root
certificate and eScience CA certificate from your web browser and install
new ones, instructions and links will be included in the second security
advisory).
--Site administrators:
Please follow the instructions in the OSCT alert
(http://cern.ch/osct/alerts/openssl-16-05-2008.txt
<https://owa.rl.ac.uk/exchweb/bin/redir.asp?URL=http://cern.ch/osct/alerts/o
penssl-16-05-2008.txt> ) to update the IGTF CA distribution, detail of
instruction and CA packages can be found here:
https://www.apgridpma.org/distribution/igtf/current
For Openssl security vulnerability
========================
-- Everyone (users, administrators etc.):
If you are running Debian/Ubuntu or other Debian derivatives on your
desktop, laptop or servers, please patch your system immediately. Debian
patch can be found at: http://www.debian.org/security/2008/dsa-1576
--End users:
Please read this security advisory:
http://www.grid-support.ac.uk/content/view/343/184/ . For those who want to
verify their certificates and SSH keys, please use the tools listed below.
If a vulnerable certificate has been detected, please report it to your CA
immediately.
--All site administrators:
All system administrators that allow users/themselves to access their
servers with SSH and public key authentication need to audit those keys to
see if any of them were created on a vulnerable system, even systems that do
not use the Debian software need to be audited in case any key is being used
that was created on a Debian system. At very least, please audit the root
user's keys.
Please remove the detected vulnerable keys from your system and require the
affected users to re-generate keys. Please note, it is also VERY IMPORTANT
to audit any *NEW* keys supplied by users/administrators to see if they are
generated on the vulnerable system.
Tools for checking SSH keys can be found at the following URLs:
http://www.debian.org/security/2008/dsa-1576
http://itsecurity.net/
http://metasploit.com/users/hdm/tools/debian-openssl/
http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist
In addition, another tool has been prepared by Kent E.<kent "at"nsc.liu.se>
to check X.509 certificates. It can be found at the following URL:
http://www.lysator.liu.se/~kent/ob/
<http://www.lysator.liu.se/~kent/ob/>
Regards,
Mingchao
--------------------------------------------------
Dr Mingchao Ma, CISSP MCSD
Grid Security Officer
UKI Federation Security Coordinator
e-Science Centre
STFC - Rutherford Appleton Laboratory
Chilton, Didcot, OX11 0QX, UK
Email: [log in to unmask]
Tel: +44 (0) 1235 446515 (office)
--------------------------------------------------
|