GitKraken flaw lead to the generation of weak SSH keys

Git GUI client GitKraken team fixed a flaw that lead to the generation of weak SSH keys, users are recommended to revoke and renew their keys.

The development team behind the Git GUI client GitKraken has fixed a vulnerability that was leading to the generation of weak SSH keys. The developers addressed the flaw with the release of version 8.0.1.

The issue resides in the open-source library used by the Git GUI client to generate SSH keys, all the keys generated using versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken are potentially affected.

The latest version of the Git GUI client (version 8.0.1) uses a new SSH key generation library.

“This issue only affects GitKraken users who generated SSH keys through the GitKraken interface using versions 7.6.x, 7.7.x,  8.0.0. If you are not sure what version you used to generate your SSH key, we encourage you to renew your key through the following process.” reads the advisory.

“Affected users need to:

  1. Remove all old generated SSH keys stored locally. 

  2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.“

The development team already notified the Git hosting service providers GitHub, Bitbucket, GitLab, and Azure DevOps, they also revoked the weak public keys used.

The development team is not aware of any accounts being compromised due to this weakness.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SSH Git Repositories)

[adrotate banner=”5″]

[adrotate banner=”13″]