Further investigation brought me to this link: http://online.securityfocus.com/archive/1/285018/2002-07-28/2002-08-03/0 OpenPKG is recommending rebuilding quite a list of packages after updating OpenSSL. Is that going to be necessary for us? -----Original Message----- From: Alan Rouse Sent: Wednesday, July 31, 2002 9:03 AM To: suse-security@suse.com Subject: RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027) So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both? -----Original Message----- From: Olaf Kirch [mailto:okir@suse.de] Sent: Wednesday, July 31, 2002 4:14 AM To: Graham Murray Cc: suse-security@suse.com Subject: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027) On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:

Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?

Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here