Re: Are OpenSSL bugs related to OpenSSH ?

From: Adrian Penisoara (ady@freebsd.ady.ro)
Date: 07/31/02 

Date: Wed, 31 Jul 2002 22:33:48 +0300 (EEST)
From: Adrian Penisoara <ady@freebsd.ady.ro>
To: net@wsf.at

Hi,

  What is the exact problem that affects OpenSSH by means of being
linked with libcrypto ? Does it use any SSL mechanisms that were
reported to be vulnerable ?

PS: the (just released) FreeBSD adivory on OpenSSL vulnerabilitues
doesn't mention the SSH binaries as being affected by the problems.

 Thank you,
 Ady (@freebsd.ady.ro)
____________________________________________________________________
| An age is called Dark not because the light fails to shine, but |
| because people refuse to see it. |
| -- James Michener, "Space" |

On Wed, 31 Jul 2002 net@wsf.at wrote:

> Simon *** <simond@irrelevant.org> schrieb:
>
> > On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote:
> > > Hi,
> > >
> > > Though I think that the recent OpenSSL buffer overflows don't imply
> > > that OpenSSH is vulnerable, could someone please confirm this ?
> >
> > OpenSSH is linked against OpenSSL, so it's a possibility that it could
> > be vulnerable, but unless you have ssh statically linked then updating
> > your openssl version will fix any problems.
> >
>
> Hi Simon,
>
> I think this is only true if your version of ssh/sshd was already
> built with a recent version of OpenSSL (libcrypto.so.3). If your
> ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still
> leave your ssh vulnerable (same applies to any other build using
> OpenSSL)
>
> Thomas
>
> BTW: which version of OpenSSL bumped so.2 -> so.3 ?
>
>
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Quantcast