{"id":124,"date":"2008-05-15T23:09:42","date_gmt":"2008-05-15T21:09:42","guid":{"rendered":"http:\/\/michauko.org\/blog\/?p=124"},"modified":"2009-10-08T15:19:32","modified_gmt":"2009-10-08T13:19:32","slug":"a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives","status":"publish","type":"post","link":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/","title":{"rendered":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s"},"content":{"rendered":"

L’histoire en quelques mots<\/h1>\n

Bon, je poste un peu apr\u00e8s tout le monde sur le sujet. Mais c’est histoire de faire part de 2\/3 remarques. A voir les news post\u00e9es un peu partout, j’ai l’impression de revivre la naissance de \u00ab\u00a0Blaster\u00a0\u00bb sous Windows : grande ampleur alors que la correction existait et beaucoup d\u00e9couvrent\/d\u00e9couvraient \u00e7a tardivement sans trop savoir quoi faire.
\nBon ici, il ne s’agit que de rectifier avant qu’une faille soit exploitable. Mais c’est extr\u00eamement pr\u00e9occupant.
\nEt le pire, c’est que contrairement \u00e0 beaucoup de failles, le probl\u00e8me r\u00e9side dans les \u00ab\u00a0clefs de cryptage\u00a0\u00bb que vous utilisez (qui vous sont propres), pas dans l’outil en lui-m\u00eame. Donc appliquer les patchs constitue seulement 1% de la solution.<\/strong> (dans le cas o\u00f9 vos clefs ont \u00e9t\u00e9 g\u00e9n\u00e9r\u00e9es, disons, entre hier et y’a 2 ans… c’est large)<\/p>\n

Point de d\u00e9part de l’information<\/h1>\n

Si vous d\u00e9couvrez seulement maintenant le sujet et que vous g\u00e9rez des Debian ou Ubuntu ou d\u00e9riv\u00e9s, c’est grave, lisez vite les \u00ab\u00a0security advisory\u00a0\u00bb de openssl<\/a> et de openssh<\/a> publi\u00e9 le lendemain. Ce sont les seules sources fiables, comme point de d\u00e9part.
\nSi \u00e7a vous gonfle car c’est en anglais, parce-que personne n’en voudrait \u00e0 votre pseudo-serveur etc, alors arr\u00eatez tout de suite de \u00ab\u00a0g\u00e9rer\u00a0\u00bb un serveur…
\nLe wiki de Debian<\/a> r\u00e9sume bien tous les services qui peuvent \u00eatre impact\u00e9s et donnent les op\u00e9rations \u00e0 faire. A commencer par OpenSSH (tout le monde l’a celui-l\u00e0)<\/p>\n

Donc, pour cette fois, et pour les suivantes, faites ceci :<\/p>\n

Pour bien r\u00e9agir la prochaine fois :<\/h1>\n

Inscrivez-vous sur la mailing-list de securit\u00e9 Debian<\/h2>\n

Inscrivez-vous soit par l’interface web<\/a>, soit en envoyant un mail \u00e0 debian-security-announce-REQUEST@lists.debian.org avec sujet subscribe et en confirmant une fois le 1er de retour re\u00e7u).
\nOptez pour celle appel\u00e9e \u00ab\u00a0debian-security-announce\u00a0\u00bb, pas n\u00e9cessairement \u00ab\u00a0debian-security\u00a0\u00bb qui est plut\u00f4t une chat-room non mod\u00e9r\u00e9e \ud83d\ude09
\n=> Ainsi, vous serez au courant au bon moment avec les bonnes infos, plut\u00f4t que des \u00ab\u00a0on dit\u00a0\u00bb incomplets sur des forums.
\nSi vous n’\u00eates pas en Debian, \u00e7a vaut quand m\u00eame. Il doit y avoir l’\u00e9quivalent sur Ubuntu et autres d\u00e9riv\u00e9s.<\/p>\n

Lisez les alertes \u00e0 t\u00eate repos\u00e9e et faites ce qui est demand\u00e9<\/h2>\n

Par exemple, dans celle d’OpenSSL dit notamment une toute petite phrase : \u00ab\u00a0We recommend that you upgrade your openssl package and subsequently regenerate any cryptographic material<\/strong>, as outlined above.\u00a0\u00bb
\n=> Cette toute petite phrase veut simplement dire qu’il faut reg\u00e9n\u00e9rer TOUT ce qui a trait \u00e0 la crypto. Donc tous vos certificats pour vos protocoles s\u00e9curis\u00e9s, notamment SSH, HTTPS, POP3S, IMAPS, SSMTP etc. Sans parler des known_hosts et authorized_keys. En gros, si vous g\u00e9rez un paquet de serveurs, \u00e7a va juste vous pourrir un bon paquet d’heures. Mais c’est obligatoire.<\/strong><\/p>\n

Le mot de la fin<\/h1>\n

Voilou, c’\u00e9tait histoire de clarifier la situation vu ce qu’on peut lire comme info incompl\u00e8te sur cette faille. Le classique \"apt-get update ; apt-get upgrade\"<\/code> du matin ne suffit pas !
\nJ’ai eu envie de faire cet article quand je pense aux h\u00e9bergeurs qui proposent des serveurs \u00e0 pas cher, avec environ 97% d’admin archi-d\u00e9butant-pas-s\u00e9rieux. Je me ferais du souci \u00e0 leur place. Surtout si un exploit est r\u00e9v\u00e9l\u00e9 !
\nFaites que le mien ne bloque pas le trafic SSH en cas d’exploit r\u00e9v\u00e9l\u00e9 (si si, mon h\u00e9bergeur l’a propos\u00e9, arg !)…. ce serait un bordel sans nom.<\/p>\n","protected":false},"excerpt":{"rendered":"

L’histoire en quelques mots Bon, je poste un peu apr\u00e8s tout le monde sur le sujet. Mais c’est histoire de faire part de 2\/3 remarques. A voir les news post\u00e9es un peu partout, j’ai l’impression …<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,82,389,83],"tags":[571,198,158,197,573],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-debian","category-pl","category-reseau-secu","category-ubuntu","tag-debian","tag-faille","tag-openssh","tag-openssl","tag-ubuntu"],"yoast_head":"\nA propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko\" \/>\n<meta property=\"og:description\" content=\"L’histoire en quelques mots Bon, je poste un peu apr\u00e8s tout le monde sur le sujet. Mais c’est histoire de faire part de 2\/3 remarques. A voir les news post\u00e9es un peu partout, j’ai l’impression …\" \/>\n<meta property=\"og:url\" content=\"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/\" \/>\n<meta property=\"og:site_name\" content=\"Le blog de Michauko\" \/>\n<meta property=\"article:published_time\" content=\"2008-05-15T21:09:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2009-10-08T13:19:32+00:00\" \/>\n<meta name=\"author\" content=\"michauko\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"michauko\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/\"},\"author\":{\"name\":\"michauko\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\"},\"headline\":\"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s\",\"datePublished\":\"2008-05-15T21:09:42+00:00\",\"dateModified\":\"2009-10-08T13:19:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/\"},\"wordCount\":621,\"commentCount\":0,\"keywords\":[\"Debian\",\"faille\",\"OpenSSH\",\"openssl\",\"Ubuntu\"],\"articleSection\":[\"Debian\",\"planet-libre.org\",\"reseau et s\u00e9cu\",\"Ubuntu\"],\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/\",\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/\",\"name\":\"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#website\"},\"datePublished\":\"2008-05-15T21:09:42+00:00\",\"dateModified\":\"2009-10-08T13:19:32+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/michauko.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/\",\"name\":\"Le blog de Michauko\",\"description\":\"Si tu ne comprends pas le titre de l'article, passe ton chemin\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/michauko.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\",\"name\":\"michauko\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"caption\":\"michauko\"},\"sameAs\":[\"http:\\\/\\\/michauko.org\\\/\"],\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/author\\\/randomized2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/","og_locale":"fr_FR","og_type":"article","og_title":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko","og_description":"L’histoire en quelques mots Bon, je poste un peu apr\u00e8s tout le monde sur le sujet. Mais c’est histoire de faire part de 2\/3 remarques. A voir les news post\u00e9es un peu partout, j’ai l’impression …","og_url":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/","og_site_name":"Le blog de Michauko","article_published_time":"2008-05-15T21:09:42+00:00","article_modified_time":"2009-10-08T13:19:32+00:00","author":"michauko","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"michauko","Dur\u00e9e de lecture estim\u00e9e":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/#article","isPartOf":{"@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/"},"author":{"name":"michauko","@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9"},"headline":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s","datePublished":"2008-05-15T21:09:42+00:00","dateModified":"2009-10-08T13:19:32+00:00","mainEntityOfPage":{"@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/"},"wordCount":621,"commentCount":0,"keywords":["Debian","faille","OpenSSH","openssl","Ubuntu"],"articleSection":["Debian","planet-libre.org","reseau et s\u00e9cu","Ubuntu"],"inLanguage":"fr-FR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/","url":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/","name":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s - Le blog de Michauko","isPartOf":{"@id":"https:\/\/michauko.org\/blog\/#website"},"datePublished":"2008-05-15T21:09:42+00:00","dateModified":"2009-10-08T13:19:32+00:00","author":{"@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9"},"breadcrumb":{"@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/michauko.org\/blog\/a-propos-de-la-fameuse-faille-openssl-sur-debian-et-derives-124\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/michauko.org\/blog\/"},{"@type":"ListItem","position":2,"name":"A propos de la fameuse faille OpenSSL sur Debian et d\u00e9riv\u00e9s"}]},{"@type":"WebSite","@id":"https:\/\/michauko.org\/blog\/#website","url":"https:\/\/michauko.org\/blog\/","name":"Le blog de Michauko","description":"Si tu ne comprends pas le titre de l'article, passe ton chemin","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/michauko.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9","name":"michauko","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","caption":"michauko"},"sameAs":["http:\/\/michauko.org\/"],"url":"https:\/\/michauko.org\/blog\/author\/randomized2\/"}]}},"_links":{"self":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":1,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"predecessor-version":[{"id":776,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/124\/revisions\/776"}],"wp:attachment":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}