[CentOS] Re: [CentOS-announce] Impact of the Debian OpenSSL vulnerability

Fri May 16 16:56:32 UTC 2008
Chris Butler <chrisb at zedcore.com>

[please CC me on replies]

On Thu, May 15, 2008 at 08:08:39PM +0200, Daniel de Kok wrote:
> Questions on how this may affect CentOS users should be directed to
> the CentOS users list. List subscription information is available
> from:

In addition to the fixed OpenSSL packages, Debian also released an update to
OpenSSH that includes a blacklist of the weak keys. With this update, any
connections attempting to authenticate with a weak key are rejected. There's
also a utility which searches through user ~/.ssh directories for
blacklisted keys.

This blacklist would help in securing non-Debian systems as well. Are there
any plans to include this ssh update in CentOS? 

-- 
Chris Butler
Zedcore Systems Ltd
UK tel: 0114 238 1828 

We have moved to: Lydgate House, Lydgate Lane, Sheffield S10 5FH