Am I or is Comodo affected by the OpenSSL vulnerability in Debian reported May 13, 2008?
Intended Audience: Web hosts, web server administrators, technical personnel responsible for generating CSRs and installing SSL certificates on web servers.|
On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. Details can be found here:
Please note that this vulnerability does not affect ComodoCA or our PKI infrastructure in any way. The vulnerability affects the way PRIVATE keys are generated, a process which occurs on your systems.
If your CSR was
# Generated since 2006-09-17
# Generated with Etch, Lenny or Sid (Sarge is not vulnerable)
# Generated using 'openssl', 'ssh-keygen', or 'openvpn --keygen' (GnuPG and GNUTLS are not affected)
# Generate a new CSR and key pair
# Log in to your Comodo account, click SSL Certificate(s), and use the option to 'Replace' your certificate (a window will open for you to cpoy and paste your new CSR
# Download and install your new certificate.
# Revoke you replaced certificate.
A complete list of Debian based distributions can be found here:
To see what version of a Debian based distribution you are running, you can use one of the following commands:
$ lsb_release -d -s -c
$ cat /etc/lsb-release
To see what version of openssl is installed, use the command
$ openssl version -v -d -p
A detector for known weak key material has been published here:
There is a wiki with detailed information on upgrading software here:
Please Note: ComodoCA is not affiliated in any direct way with the Debian Project.