From owner-freebsd-security Wed Jul 31 15:11:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80ACA37B400 for ; Wed, 31 Jul 2002 15:11:41 -0700 (PDT) Received: from mail.wsf.at (MAIL.WSF.AT [212.16.37.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62CCA43E3B for ; Wed, 31 Jul 2002 15:11:40 -0700 (PDT) (envelope-from net@wsf.at) Received: (from root@localhost) by mail.wsf.at (8.11.6/8.9.3) id g6VMBdL06488 for freebsd-security@FreeBSD.ORG.KAV; Thu, 1 Aug 2002 00:11:39 +0200 (CEST) (envelope-from net@wsf.at) Received: from wsf.at (localhost [127.0.0.1]) by www.wsf.at (8.11.6/8.9.3) with SMTP id g6VMBcY06472; Thu, 1 Aug 2002 00:11:38 +0200 (CEST) (envelope-from net@wsf.at) Message-Id: <200207312211.g6VMBcY06472@www.wsf.at> Date: Wed, 31 Jul 2002 22:11:38 -0000 To: "Adrian Penisoara" Subject: Re: Are OpenSSL bugs related to OpenSSH ? From: "Thomas Wolf" X-Mailer: TWIG 2.6.2 In-Reply-To: Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Adrian Penisoara schrieb: > On Wed, 31 Jul 2002 net@wsf.at wrote: > > > Simon Dick schrieb: > > > > > On Wed, 2002-07-31 at 10:24, Adrian Penisoara wrote: > > > > Hi, > > > > > > > > Though I think that the recent OpenSSL buffer overflows don't imply > > > > that OpenSSH is vulnerable, could someone please confirm this ? > > > > > > OpenSSH is linked against OpenSSL, so it's a possibility that it could > > > be vulnerable, but unless you have ssh statically linked then updating > > > your openssl version will fix any problems. > > > > > > > Hi Simon, > > > > I think this is only true if your version of ssh/sshd was already > > built with a recent version of OpenSSL (libcrypto.so.3). If your > > ssh uses libcrypto.so.2, updating OpenSSL to 0.9.6e would still > > leave your ssh vulnerable (same applies to any other build using > > OpenSSL) > > > > Thomas > > > > BTW: which version of OpenSSL bumped so.2 -> so.3 ? > > > > > > > Hi, > > What is the exact problem that affects OpenSSH by means of being > linked with libcrypto ? Does it use any SSL mechanisms that were > reported to be vulnerable ? > > PS: the (just released) FreeBSD adivory on OpenSSL vulnerabilitues > doesn't mention the SSH binaries as being affected by the problems. > > Thank you, > Ady (@freebsd.ady.ro) I can't tell whether OpenSSH is vulnerable or not. I just wanted to point out that it would not be sufficient to just install the corrected libs as there may be apps still using the older ones. Sorry for the misunderstanding. Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message