RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027) - openSUSE Security

31 Jul 2002


      Further investigation brought me to this link:
http://online.securityfocus.com/archive/1/285018/2002-07-28/2002-08-03/0
OpenPKG is recommending rebuilding quite a list of packages after
updating OpenSSL.  Is that going to be necessary for us?
-----Original Message-----
From: Alan Rouse 
Sent: Wednesday, July 31, 2002 9:03 AM
To: suse-security@suse.com
Subject: RE: [suse-security] SuSE Security Announcement: openssl
(SuSE-SA:2002:027)
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy
require an update of OpenSSH or of OpenSSL, or both?
-----Original Message-----
From: Olaf Kirch [mailto:okir@suse.de] 
Sent: Wednesday, July 31, 2002 4:14 AM
To: Graham Murray
Cc: suse-security@suse.com
Subject: Re: [suse-security] SuSE Security Announcement: openssl
(SuSE-SA:2002:027)
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
...
Openssh uses openssl. Is openssh vulnerable to any of the openssl
exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness
bug when decoding RSA keys during/after RSA authentication. The other
bugs, no, because OpenSSH doesn't use SSL.
Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@suse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann

-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here


-- 
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here