On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman@gmail.com> wrote:
... if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following:
updated list with env suggestion: a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by ENGINE_register_all_complete() to unregister rdrand as default c.) set OPENSSL_ia32cap="~0x4000000000000000" in global environment (this is poor fix) d.) git pull latest openssl with commit: "Don't use rdrand engine as default unless explicitly requested." - Dr. Stephen Henson "what is affected??" - someone sorry, i am not your distro maintainer. but the list includes, potentially (depending on configure opts / runtime / etc): RHEL 6.5, 7.0 Centos 6.5 Fedora 18,19,rawhide Ubuntu 12.04, 12.10, 13.04, 13.10, trusty Debian 7.0, jessie, sid Gentoo stable&unstable Knoppix 7.0.5, 7.2.0 Kali 1.0.5 Slackware 14, 14.1, current ... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+. (remember both ssh client and server may use engines!) and other libs, like: M2Crypto libpam-sshagent-auth encfs ... which appear to use OpenSSL default engines. but really, you should go check your shit. best regards, P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0* or 0.9.8* in any distros i'd like to know about it!