From owner-freebsd-security  Wed Jul 31 12:34:13 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BC6FF37B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 31 Jul 2002 12:34:09 -0700 (PDT)
Received: from ady.warpnet.ro (ady.warpnet.ro [217.156.25.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 89AF143E67
	for <freebsd-security@FreeBSD.ORG>; Wed, 31 Jul 2002 12:34:05 -0700 (PDT)
	(envelope-from ady@freebsd.ady.ro)
Received: from localhost (ady@localhost)
	by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id WAA98774;
	Wed, 31 Jul 2002 22:33:48 +0300 (EEST)
	(envelope-from ady@freebsd.ady.ro)
Date: Wed, 31 Jul 2002 22:33:48 +0300 (EEST)
From: Adrian Penisoara <ady@freebsd.ady.ro>
X-Sender: ady@ady.warpnet.ro
To: net@wsf.at
Cc: Simon Dick <simond@irrelevant.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Are OpenSSL bugs related to OpenSSH ?
In-Reply-To: <200207311127.g6VBRWY98818@www.wsf.at>
Message-ID: <Pine.BSF.4.10.10207312231390.83357-100000@ady.warpnet.ro>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

  What is the exact problem that affects OpenSSH by means of being
linked with libcrypto ? Does it use any SSL mechanisms that were
reported to be vulnerable ?

PS: the (just released) FreeBSD adivory on OpenSSL vulnerabilitues
doesn't mention the SSH binaries as being affected by the problems.

 Thank you,
 Ady (@freebsd.ady.ro)
____________________________________________________________________
| An age is called Dark not because the light fails to shine, but  |
| because people refuse to see it.                                 |
|               -- James Michener, "Space"                         |

On Wed, 31 Jul 2002 net@wsf.at wrote:

> Simon Dick <simond@irrelevant.org> schrieb:
> 
> > On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote:
> > > Hi,
> > > 
> > >   Though I think that the recent OpenSSL buffer overflows don't imply
> > > that OpenSSH is vulnerable, could someone please confirm this ?
> > 
> > OpenSSH is linked against OpenSSL, so it's a possibility that it could
> > be vulnerable, but unless you have ssh statically linked then updating
> > your openssl version will fix any problems.
> > 
> 
> Hi Simon,
> 
> I think this is only true if your version of ssh/sshd was already
> built with a recent version of OpenSSL (libcrypto.so.3). If your
> ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still
> leave your ssh vulnerable (same applies to any other build using
> OpenSSL)
> 
> Thomas
> 
> BTW: which version of OpenSSL bumped so.2 -> so.3 ?
> 
> 
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message