Re: OpenSSH affected by recent OpenSSL security problems?

From: Neil W Rickert (rickert+nn@cs.niu.edu)
Date: 03/22/03 

From: Neil W Rickert <rickert+nn@cs.niu.edu>
Date: 21 Mar 2003 23:42:36 GMT

iglesias@draco.acs.uci.edu (Mike Iglesias) writes:

>There have been a couple of security problems with OpenSSL recently (timing
>based attack and the Klima-Pokorny-Rosa attack, see http://www.openssl.org/
>for more information). I was wondering if these issues affect OpenSSH, and
>how serious is this for OpenSSH. Basically I want to know how soon I need
>to rebuild OpenSSH with a new OpenSSL library for all the architectures we
>build it for.

The patch for the Klima-Pokorny-Rosa attack only changes libssl,
which is not used by openssh. Maybe openssh has a corresponding
vulnerability, but changes to openssl won't affect that.

The patch for the timing problems does affect libcrypto, so that
potentially affects openssh.

If you are using dynamic openssl libraries, then you should only
need to rebuild those without recompiling openssh.

Personally, I tend to think neither of these is an urgent problem, so
I may wait for the release of openssl-0.9.7b (or whatever comes out
next). That's because the cost of mounting these attacks seems too
high for what could be gained from them, at least with respect to our
department systems. The equation might be different for sites
heavily engaged in web commerce.

Relevant Pages

  • Re: OpenSSH affected by recent OpenSSL security problems?
    ... >>There have been a couple of security problems with OpenSSL recently (timing ... I was wondering if these issues affect OpenSSH, ... >>how serious is this for OpenSSH. ... >>to rebuild OpenSSH with a new OpenSSL library for all the architectures we ...
    (comp.security.ssh)
  • Re: Does the new OpenSSL vulnerability affect OpenSSH?
    ... MI> affect OpenSSH? ... I'd like to know whether I need to rebuild ... MI> OpenSSH ASAP or not. ... SSL/TLS code, and the ASN.1 parser, neither of which are used by OpenSSH, ...
    (comp.security.ssh)