Re: OpenSSL Vulnerability
From: Chris McCulloh (chrislist_at_sinetimore.com)
Date: 10/01/03
- Previous message: jose Hidalgo Herrera: "Re: Authentication types"
- In reply to: parroth_at_earthling.net: "Re: OpenSSL Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Oct 2003 11:46:26 -0400 To: parroth@earthling.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to Markus Friedl (the implementor of the SSH protocol in
OpenSSH), on the OpenSSH Dev list:
> On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward@slothmud.org wrote:
> > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to
> > the OpenSSL vulnerabilities announced today? Namely the ASN.1
> > parsing problem and the malformed key bugs?
> no, we avoid the OpenSSL ASN.1 code for signature verification
> and we don't support x509.
> only reading of _private_ keys triggers the ASN.1 code
> in OpenSSH.
On Tue, 30 Sep 2003 19:08:52 -0400
parroth@earthling.net wrote:
> To my understand, this will affect anything that "overlays" the secure
> socket layer including ssh and any bind builds using the ssl as well.
- --
Chris McCulloh
Secure Systems Architect
Sinetimore, LLC
e: cmcculloh@sinetimore.com
t: 212.504.0288
f: 212.656.1469
w: http://www.sinetimore.com
a: 40 Broad Street, 4th Floor, New York, NY 10004, USA
key: http://www.sinetimore.com/chriskey.pub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/evbSTZb9giTOAnMRApF9AJ4gFZqAwvAQnktLw5re6qjFe4wdQACeK+fI
/WUEcw+WKXEyocjDxivC4mc=
=ZpgZ
-----END PGP SIGNATURE-----
- Previous message: jose Hidalgo Herrera: "Re: Authentication types"
- In reply to: parroth_at_earthling.net: "Re: OpenSSL Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
