Hi! [Roman: originally, I sent this mail to you directly by mistake (not to the list) but didn't get any response; did it arrive at all?] On Wed, 31 Jul 2002, Roman Drahtmueller wrote:
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
Openssl. Then restart sshd:
rcsshd restart
Or, even better, reboot the system to make sure it worked.
At least on SuSE 7.2, openssh-2.9.9p2-103 does *not* dynamically link against the ssl libs; ldd `which sshd` says: libpam.so.0 => /lib/libpam.so.0 (0x4001d000) libdl.so.2 => /lib/libdl.so.2 (0x40025000) libz.so.1 => /lib/libz.so.1 (0x4002a000) libnsl.so.1 => /lib/libnsl.so.1 (0x40039000) libutil.so.1 => /lib/libutil.so.1 (0x4004f000) libc.so.6 => /lib/libc.so.6 (0x40052000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) (The "temporary update" openssh-3.3p1-6 *did* link against libcrypto.so.0.9.6...) So, if this version is vulnerable, the lib update won't fix it - do we need yet another openssh upgrade??? Martin