Any Debian user please note the recent security advisory, apply immediately, and then look at this link to find what you next need to do:

The vulnerability is in the crypto (openssl) library, causing keys generated on a Debian system to be emminantly predicatable. This site has generated keys, and fingerprints for all keys actually possible to be created using the bug. This means its HIGHLY likely in my opinion that a hackers or a worm may start using this soon. They also say they may be making an auto-exploit tool - The site linked above quotes “In the near future, this site will be updated to include a brute force tool that can be used quickly gain access to any SSH account that allows public key authentication using a vulnerable key”

Basically the problem exists if you allow identity/logins to be asserted via a certificate(authorized_keysfile). Ie, login with no password. You can guess the first port of attack will be on the root@your box - so if you allow remote root logins via certificate on debian, please be careful.

Pretty critical bug, but as always a great response from Debian and the community on this. Other Debian based distruibutions have not been confirmed vulnerable at this time (though may not be found to be if they did not merge the faulty code into their distributions). Update according to another blog : Any SSH or SSL keys generated on all Debian-derived systems corresponding to “Debian Etch and later”: for Ubuntu, this means Feisty 7.04, Gutsy 7.10 and Hardy 8.04

Hope this helps someone getting hacked/a worm - the links above have more technical detail - just want to get the word out just HOW important this is if you use keys on Debian/Ubuntu.

Futher Update : Note on my personal machine I just spotted this update didn’t apply until I ran a dist-upgrade.    A simple check that its on is to run ssh-vulnkey on your box as root.   If the program exists on Debian the patch is applied already.   If not, its not (as was introduced with patch).