hanno's wall

Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166? https://16years.secvuln.info/

Like 12 May at 8:24 | Open on mastodon.social

Show previous comments

Leif Davisson

@hanno Possible you could check the DNS records for entries that haven't been modified since 2008.

Would you rather have an email from someone that has no DKIM or a DKIM from 2007?

12 May at 14:27 | Open on ioc.exchange

StrawberryPuding

@hanno@mastodon.social i´m using one of the email providers mentioned- oh no :neocat_googly_shocked:

12 May at 15:32 | Open on possum.city

Ryan Castellucci :nonbinary_flag:

@hanno I have I scanner for dkim keys... 🤔

12 May at 16:43 | Open on infosec.exchange

hanno

Given that I see calls for better support for those random opensource devs that happen to maintain some of the most important pieces of software on the planet: a good friend of mine is maintaining expat - possibly the most important+popular xml library out there - and he has a message in his latest changelog that you may want to read: https://github.com/libexpat/libexpat/blob/R_2_6_2/expat/Changes

Like 30 March at 20:44 | Open on mastodon.social

hanno

corresponding blogpost: https://blog.hartwork.org/posts/expat-2-6-2-released/

30 March at 20:47 | Open on mastodon.social

Show 2 replies

@frueheneuzeit

@hanno the list of software using the library: https://libexpat.github.io/doc/users/

30 March at 23:20 | Open on fedihum.org

Juan Luis

@hanno cc @luis_in_brief

31 March at 4:26 | Open on social.juanlu.space

Show 1 reply