From owner-freebsd-security  Wed Jul 31  4:27:39 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4575337B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 31 Jul 2002 04:27:37 -0700 (PDT)
Received: from mail.wsf.at (MAIL.WSF.AT [212.16.37.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2368243E72
	for <freebsd-security@FreeBSD.ORG>; Wed, 31 Jul 2002 04:27:36 -0700 (PDT)
	(envelope-from net@wsf.at)
Received: (from root@localhost)
	by mail.wsf.at (8.11.6/8.9.3) id g6VBRX798842
	for freebsd-security@FreeBSD.ORG.KAV; Wed, 31 Jul 2002 13:27:33 +0200 (CEST)
	(envelope-from net@wsf.at)
Received: from wsf.at (localhost [127.0.0.1])
	by www.wsf.at (8.11.6/8.9.3) with SMTP id g6VBRWY98818;
	Wed, 31 Jul 2002 13:27:32 +0200 (CEST)
	(envelope-from net@wsf.at)
Message-Id: <200207311127.g6VBRWY98818@www.wsf.at>
Date: Wed, 31 Jul 2002 11:27:32 -0000
To: "Simon Dick" <simond@irrelevant.org>,
	"Adrian Penisoara" <ady@freebsd.ady.ro>
Subject: Re: Are OpenSSL bugs related to OpenSSH ?
From: <net@wsf.at>
X-Mailer: TWIG 2.6.2
In-Reply-To: <1028113366.1406.0.camel@linux>
Cc: <freebsd-security@FreeBSD.ORG>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Simon Dick <simond@irrelevant.org> schrieb:

> On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote:
> > Hi,
> > 
> >   Though I think that the recent OpenSSL buffer overflows don't imply
> > that OpenSSH is vulnerable, could someone please confirm this ?
> 
> OpenSSH is linked against OpenSSL, so it's a possibility that it could
> be vulnerable, but unless you have ssh statically linked then updating
> your openssl version will fix any problems.
> 

Hi Simon,

I think this is only true if your version of ssh/sshd was already
built with a recent version of OpenSSL (libcrypto.so.3). If your
ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still
leave your ssh vulnerable (same applies to any other build using
OpenSSL)

Thomas

BTW: which version of OpenSSL bumped so.2 -> so.3 ?




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message