Further investigation brought me to this link:
OpenPKG is recommending rebuilding quite a list of packages after updating OpenSSL. Is that going to be necessary for us?
-----Original Message----- From: Alan Rouse Sent: Wednesday, July 31, 2002 9:03 AM To: email@example.com Subject: RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
-----Original Message----- From: Olaf Kirch [mailto:firstname.lastname@example.org] Sent: Wednesday, July 31, 2002 4:14 AM To: Graham Murray Cc: email@example.com Subject: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.