hi florian


Florian Heigl schrieb:
> Hi,
> 
> as most are probably aware debian had a little "Oops" concerning
> openssl 
> (http://wiki.debian.org/SSLkeys#head-49a0007d742a0fcc4742d630456fecc08016fbb8).
> unfortunately there is no mention of Bacula in their wiki so far.

another thing is, that the debian package doesn't ship anymore with 
openssl support because of licesing issues.

> 
> Does anyone know if
> - one should bother redoing the Bacula SD/DIR/FD/Console pass strings?
> (they're done using openssl, and so far i thought they look quite
> random
> - someone already made scripts for regenerating the SSL/TLS keys for
> people that use this for bacula
> - people who used SD encryption might want to migrate / re-encrypt as
> this might (i dont know!) be more susceptible for the weakness
> 
> Reading the "backupbox" sections advice
> "start from scratch, destroying all trace of the backed up data, and
> take other measures to mitigate the exposure of your secrets" I feel
> there might be reason to worry.

as far as i read about this security update on debian, there is only a 
"small" amount of different keys or this guy sais key is dependent of 
the process id 
(http://chdir.org/~nico//blog/posts/Pire_que_je_croyais.../). With a 
workstation you will be able to compute all the possible keys.

so yes, regenerate all your keys and somehow reencrypt the data if 
you're in need of the encryption security.

- Thomas


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users