Re: RES: OpenSSL Vulnerability and OpenSSH

From: Ron DuFresne (dufresne@winternet.com)
Date: 09/23/02 

Date: Mon, 23 Sep 2002 10:20:11 -0500 (CDT)
From: Ron DuFresne <dufresne@winternet.com>
To: Renato Araújo Ferreira <rferreira@metrored.com.br>

actually, there have been found other issues with OpenSSL 0.9.6e and it is
recommended that folks upgrade to the current, OpenSSL 0.9.6g.

Thanks,

Ron DuFresne

On Mon, 23 Sep 2002, Renato Araújo Ferreira wrote:

> as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all
> applications using OpenSSL to provide SSL or TLS...", i did it (apache,
> ssh)... just in case...
>
> -----Mensagem original-----
> De: Markus Friedl [mailto:markus@openbsd.org]
> Enviada em: segunda-feira, 23 de setembro de 2002 11:15
> Para: nestler@speakeasy.net
> Cc: vuln-dev@securityfocus.com
> Assunto: Re: OpenSSL Vulnerability and OpenSSH
>
>
> On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:
> > On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler@speakeasy.net wrote:
> > > > On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:
> > > > > Does anyone
> > > > > know if the same issues affecting OpenSSL on Apache will affect
> OpenSSL
> > > > > when used with OpenSSH?
> > > >
> > > > yes.
> > > >
> > > > the "issues affecting OpenSSL on Apache" do not affect OpenSSH.
> > > >
> > > > OpenSSH does not use libssl (only libcrypto).
> > >
> > > You seem to imply that all of OpenSSL's problems are in libssl,
> > > which is not the case.
> >
> > no. it does not. i just refer to "issues affecting OpenSSL on Apache".
>
> oops, i forgot to add: you should still update the OpenSSL libcrypto
> library, since it's not know how the ASN.1 bugs affect software using
> libcrypto (and OpenSSH uses libcrypto).
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

Relevant Pages

  • [Full-Disclosure] NetBSD Security Advisory 2003-005: RSA timing attack in OpenSSL code
    ... A timing attack has been discovered, which can be used against OpenSSL. ... low-latency access to the server - such as the local host, ... The following instructions describe how to upgrade your libcrypto ... Information about NetBSD and NetBSD security can be found at ...
    (Full-Disclosure)
  • NetBSD Security Advisory 2003-005: RSA timing attack in OpenSSL code
    ... A timing attack has been discovered, which can be used against OpenSSL. ... The attack allows remote recovery of private keys, ... low-latency access to the server - such as the local host, ... The following instructions describe how to upgrade your libcrypto ...
    (Bugtraq)
  • Re: Encryption
    ... you may already have OpenSSL and libcrypto. ... The library on Jazz excludes certain algorithms that were patent-encumbered at the time, although most or all of the patents have since expired. ... I'm specifically looking for an encryption algorithm like Blowfish that will encrypt data in the same footprint as the original data. ...
    (comp.sys.hp.mpe)
  • Re: Ruby on HP-UX
    ... I'll work on at least openssl, since it is the squeaky wheel at the moment. ... you refering to libcrypto, when the error is related to crypto? ... Make sure that these are all available as either shared libraries ... Otherwise the HP-UX dynamic linker will choke at runtime because ...
    (comp.lang.ruby)
  • Re: OpenSSL Vulnerability and OpenSSH
    ... >> You seem to imply that all of OpenSSL's problems are in libssl, ... i just refer to "issues affecting OpenSSL on Apache". ... since it's not know how the ASN.1 bugs affect software using ... libcrypto. ...
    (Vuln-Dev)