Re: Are OpenSSL bugs related to OpenSSH ?

From: net@wsf.at
Date: 07/31/02 

Date: Wed, 31 Jul 2002 11:27:32 -0000
To: "Simon ***" <simond@irrelevant.org>, "Adrian Penisoara" <ady@freebsd.ady.ro>
From: <net@wsf.at>

Simon *** <simond@irrelevant.org> schrieb:

> On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote:
> > Hi,
> >
> > Though I think that the recent OpenSSL buffer overflows don't imply
> > that OpenSSH is vulnerable, could someone please confirm this ?
>
> OpenSSH is linked against OpenSSL, so it's a possibility that it could
> be vulnerable, but unless you have ssh statically linked then updating
> your openssl version will fix any problems.
>

Hi Simon,

I think this is only true if your version of ssh/sshd was already
built with a recent version of OpenSSL (libcrypto.so.3). If your
ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still
leave your ssh vulnerable (same applies to any other build using
OpenSSL)

Thomas

BTW: which version of OpenSSL bumped so.2 -> so.3 ?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message