RES: OpenSSL Vulnerability and OpenSSH

From: Renato Araújo Ferreira (rferreira@metrored.com.br)
Date: 09/23/02

Previous message: Markus Friedl: "Re: OpenSSL Vulnerability and OpenSSH"
Next in thread: Ron DuFresne: "Re: RES: OpenSSL Vulnerability and OpenSSH"
Reply: Ron DuFresne: "Re: RES: OpenSSL Vulnerability and OpenSSH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Renato Araújo Ferreira <rferreira@metrored.com.br>
To: 'Markus Friedl' <markus@openbsd.org>, nestler@speakeasy.net
Date: Mon, 23 Sep 2002 11:31:44 -0300

as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all
applications using OpenSSL to provide SSL or TLS...", i did it (apache,
ssh)... just in case...

-----Mensagem original-----
De: Markus Friedl [mailto:markus@openbsd.org]
Enviada em: segunda-feira, 23 de setembro de 2002 11:15
Para: nestler@speakeasy.net
Cc: vuln-dev@securityfocus.com
Assunto: Re: OpenSSL Vulnerability and OpenSSH

On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:
> On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler@speakeasy.net wrote:
> > > On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:
> > > > Does anyone
> > > > know if the same issues affecting OpenSSL on Apache will affect
OpenSSL
> > > > when used with OpenSSH?
> > >
> > > yes.
> > >
> > > the "issues affecting OpenSSL on Apache" do not affect OpenSSH.
> > >
> > > OpenSSH does not use libssl (only libcrypto).
> >
> > You seem to imply that all of OpenSSL's problems are in libssl,
> > which is not the case.
>
> no. it does not. i just refer to "issues affecting OpenSSL on Apache".

oops, i forgot to add: you should still update the OpenSSL libcrypto
library, since it's not know how the ASN.1 bugs affect software using
libcrypto (and OpenSSH uses libcrypto).

Previous message: Markus Friedl: "Re: OpenSSL Vulnerability and OpenSSH"
Next in thread: Ron DuFresne: "Re: RES: OpenSSL Vulnerability and OpenSSH"
Reply: Ron DuFresne: "Re: RES: OpenSSL Vulnerability and OpenSSH"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: GCC 3.3
... > apache, sendmail, ip-filter, openssl and others all OK so far. ...
(comp.unix.solaris)
Re: Python does not play well with others
... unwise for libraries. ... In the specific examples of OpenSSL, MySQL, and Apache, the modules ...
(comp.lang.python)
Re: mod_ssl or openssl?
... SSL certificate through them, they asked whether it should be for ... Apache mod_ssl or for Apache + openssl. ... Maybe the 3 first link can help you to make the diff between both. ...
(Fedora)
Re: mod_ssl or openssl?
... SSL certificate through them, they asked whether it should be for ... Apache mod_ssl or for Apache + openssl. ... Creating a certificate request, or a pair of public/private keys are ...
(Fedora)
Re: Root password changed
... OpenSSL 0.9.6d and older. ... It will give you a remote shell with the ... priviledges of the server process (nobody when used against Apache, ... You can recover logs in various ways, google is always a good one ...
(Incidents)