<<< Date Index >>>     <<< Thread Index >>>

Re: /home/putnopvut/asa/AST-2008-007/AST-2008-007: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised



* Asterisk Security Team:

>    +------------------------------------------------------------------------+
>    | Resolution | Since this is not a vulnerability in Asterisk itself but  |
>    |            | in a tool that Asterisk uses, there will be no new        |
>    |            | releases made; however, users who are affected by the     |
>    |            | Debian OpenSSL vulnerability are strongly encouraged to   |
>    |            | upgrade their package of OpenSSL to an uncompromised      |
>    |            | version (version 0.9.8c-4 or later) and regenerate all    |
>    |            | keys used by Asterisk.                                    |
>    +------------------------------------------------------------------------+

Correction: The first fixed version are 0.9.8c-4etch3 (on the
etch/stable branch) and 0.9.8g-9 (for sid/unstable and lenny/testing).
Plain 0.9.8c-4 (and 0.9.8c-4etch1 and 0.9.8c-4etch2) are vulnerable.