Debian, the popular Linux distribution, has just been shown to have made an all-time stupid security goof-up. They managed to change OpenSSL in their distribution so that it had no security to speak of. Good job guys!
OpenSSL makes it possible to use SSL (Secure Socket Layer) and TLS (Transport Layer Security) in Linux, Unix, Windows and many other operating systems. It also incorporates a general purpose cryptography library. OpenSSL is used not only in operating systems, but in numerous vital applications such as security for Apache Web servers and security appliances from companies like Check Point and Cisco. Yeah, in other words, if you do anything requiring network security on Linux, chances are good, OpenSSL is being called in to help
Now, OpenSSL itself is still fine. What's anything but fine is any Linux, or Linux-powered device, that's based on Debian Linux libssl 0.9.8c-1 code, which was released September 17th 2006 until version libssl 0.9.8, which was released on May 13th. That includes the most popular Linux of all: Ubuntu.
Words almost fail me on just how stupid this self-inflicted Debian wound is, almost, but I manage to spit some out on my Practical Technology site. You can read that later. Here's what important, here's how to fix the Debian OpenSSL hole.
This fix for Debian 4.0 Etch and its development builds: the unstable distribution, Sid and the testing distribution, Lenny is now available from the Debian site. Ubuntu, which is based on Debian, also have fixes for the hole. In Ubuntu, the versions that need patches are Ubuntu 7.04, Feisty; Ubuntu 7.10, Gutsy; the just released Ubuntu 8.04 LTS Hardy, and the developer builds of Ubuntu Intrepid Ibex.
Debian has also opened a site on how to rollover your insecure security keys to the better ones once you've installed the corrected software. You must perform a rollover. Otherwise, you'll be continuing to use the older, vulnerable keys.
Other Linuxes based on Debian or Ubuntu, such as MEPIS and Mint, are also vulnerable. MEPIS users can get the updated software by running their usual update routine. Since MEPIS, by default, includes Debian's security patches that should do the trick. Mint, which is based on Ubuntu, can also be made safe by upgrading the system.
The most up-to-date and comprehensive technical discussion of fixing these problems can be found in the Debian OpenSSL Wiki. I highly recommend anyone dealing with this problem on mission-critical systems to carefully read the information on this site.
If you have a firewall appliance or other device that you think may contain the broken code, I recommend that you check in with your vendor as soon as possible to see if they have a fix.
Finally, don't put fixing this problem to the side. Cracker tools that will let any idiot break into your Debian system are already circulation.