So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
-----Original Message----- From: Olaf Kirch [mailto:okir@suse.de] Sent: Wednesday, July 31, 2002 4:14 AM To: Graham Murray Cc: suse-security@suse.com Subject: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.
Olaf
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
Openssl. Then restart sshd:
rcsshd restart
Or, even better, reboot the system to make sure it worked.
Thanks, Roman.
Hi!
[Roman: originally, I sent this mail to you directly by mistake (not to the list) but didn't get any response; did it arrive at all?]
On Wed, 31 Jul 2002, Roman Drahtmueller wrote:
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
Openssl. Then restart sshd:
rcsshd restart
Or, even better, reboot the system to make sure it worked.
At least on SuSE 7.2, openssh-2.9.9p2-103 does *not* dynamically link against the ssl libs; ldd `which sshd` says:
libpam.so.0 => /lib/libpam.so.0 (0x4001d000) libdl.so.2 => /lib/libdl.so.2 (0x40025000) libz.so.1 => /lib/libz.so.1 (0x4002a000) libnsl.so.1 => /lib/libnsl.so.1 (0x40039000) libutil.so.1 => /lib/libutil.so.1 (0x4004f000) libc.so.6 => /lib/libc.so.6 (0x40052000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
(The "temporary update" openssh-3.3p1-6 *did* link against libcrypto.so.0.9.6...)
So, if this version is vulnerable, the lib update won't fix it - do we need yet another openssh upgrade???
Martin
-
Alan Rouse -
Martin Köhling -
Roman Drahtmueller