Draft:Debian OpenSSL vulnerability

Review waiting, please be patient. This may take 2 months or more, since drafts are reviewed in no specific order. There are 1,307 pending submissions waiting for review. If the submission is accepted, then this page will be moved into the article space. If the submission is declined, then the reason will be posted here. In the meantime, you can continue to improve this submission by editing normally. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Reviewer tools Instructions · What links here · Debian OpenSSL vulnerability (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Wikipedia) · Submitted 90 minutes ago by WinNT4SP6 (talk: D · +) · Last edited 1 second ago by WinNT4SP6

Debian OpenSSL vulnerability (also known as the Debian SSL Bug or CVE-2008-0166^[1]) was a security vulnerability present exclusively in the Debian operating system and its derivatives from 2006 until it was discovered in 2008.^[2][3] The bug affected the random number generator provided by OpenSSL, which was used by multiple software packages for the generation of cryptographic keys and certificates. The bug made it possible to only generate a small number of predictable keypairs.^[4]

The bug was introduced to Debian in April 2006 and accepted into the system a month later.^[2] It was a response to warnings from the Valgrind memory debugger about the use of uninitialized memory, which unbeknownst to the bug team, was used by OpenSSL to gather entropy for its random number generator (RNG). The resulting fix removed practically all sources of randomness from the RNG, with the exception of the PID of the process that requested its output.^[4][5]

As the maximum number of PIDs was restricted at 32,768, only 32,767^[a] (2¹⁵ − 1) unique keys could be generated on the affected systems.^[4][5]

The bug was discovered by Debian developer Luciano Bello and disclosed on 13 May 2008. Security patches correcting the bug were immediately released. The patches only fixed the RNG, they would not fix already existing weak keys, all of which had to be regenerated.^[3][6]

Even though other operating systems were not directly affected, importing vulnerable keys could also put them at risk.^[7]

Operating systems
All Debian-based Linux distributions using certain versions of libssl0.9.8^[8], confirmed examples are:

• Debian version 4.0 (Etch)^[8]
• Ubuntu versions 7.04, 7.10 and 8.04^[7]

Notable examples of software packages

• OpenSSL^[7]
• OpenSSH^[9]
• OpenVPN^[10]
• Tor^[11]

On the 20th anniversary of the bug, security researcher Hanno Böck disclosed that several websites were actively using affected vulnerable keys to sign their emails using DKIM.^[12]

Category:Computer security exploits Category:2008 in computing