Serious SSL vulnerability for Debian/Ubuntu - Debian released this announcement today pertaining to their openssl libraries. It has been determined that a Debian specific patch to openssl has been using a weak and easily determined pseudo random number generator for creating ssl certificates. This patch was made to fix CVE-2008-0166, but ended up creating a new issue. This was introduced into Debians testing environment in September 2006, and was moved into their etch release. It does not impact their earlier sarge release. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. These issues have been fixed in Debians 0.9.8c-4etch3 and 0.9.8g-9 versions. It is recommended that an update is made. Any keys created using the older versions should be treated as compromised. They must be recreated. Any old sessions encrypted with these compromised keys can still be compromised and should be re-encrypted using new keys.