Did Red Hat use the broken OpenSSL random seed patch, CVE-2008-0166?

Updated -

No, CVE-2008-0166 was the result of a non-standard third-party patch to the OpenSSL library. This patch was only applied to Debian derived distributions and does not affect any product Red Hat ships, or any upstream versions of OpenSSL.

As the full impact of this flaw is not completely understood, it is suggested that if a vulnerable system was used to generate cryptographic data, such as key generation or data encryption with a private key, the data and keys should be treated as being compromised. Even when using a known safe system, if a private key is generated or used on a vulnerable system, the result may be an easily guessable cryptographic data that could result in the recovery of cryptographic keys. Steps should be taken to regenerate your cryptographic keys on a non vulnerable system.

Comments