Date: Wed, 31 Jul 2002 22:11:38 -0000 From: "Thomas Wolf" <net@wsf.at> To: "Adrian Penisoara" <ady@freebsd.ady.ro> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Are OpenSSL bugs related to OpenSSH ? Message-ID: <200207312211.g6VMBcY06472@www.wsf.at> In-Reply-To: <Pine.BSF.4.10.10207312231390.83357-100000@ady.warpnet.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
Adrian Penisoara <ady@freebsd.ady.ro> schrieb: > On Wed, 31 Jul 2002 net@wsf.at wrote: > > > Simon Dick <simond@irrelevant.org> schrieb: > > > > > On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote: > > > > Hi, > > > > > > > > Though I think that the recent OpenSSL buffer overflows don't imply > > > > that OpenSSH is vulnerable, could someone please confirm this ? > > > > > > OpenSSH is linked against OpenSSL, so it's a possibility that it could > > > be vulnerable, but unless you have ssh statically linked then updating > > > your openssl version will fix any problems. > > > > > > > Hi Simon, > > > > I think this is only true if your version of ssh/sshd was already > > built with a recent version of OpenSSL (libcrypto.so.3). If your > > ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still > > leave your ssh vulnerable (same applies to any other build using > > OpenSSL) > > > > Thomas > > > > BTW: which version of OpenSSL bumped so.2 -> so.3 ? > > > > > > > Hi, > > What is the exact problem that affects OpenSSH by means of being > linked with libcrypto ? Does it use any SSL mechanisms that were > reported to be vulnerable ? > > PS: the (just released) FreeBSD adivory on OpenSSL vulnerabilitues > doesn't mention the SSH binaries as being affected by the problems. > > Thank you, > Ady (@freebsd.ady.ro) I can't tell whether OpenSSH is vulnerable or not. I just wanted to point out that it would not be sufficient to just install the corrected libs as there may be apps still using the older ones. Sorry for the misunderstanding. Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207312211.g6VMBcY06472>