RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both? -----Original Message----- From: Olaf Kirch [mailto:okir@suse.de] Sent: Wednesday, July 31, 2002 4:14 AM To: Graham Murray Cc: suse-security@suse.com Subject: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027) On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
Openssl. Then restart sshd: rcsshd restart Or, even better, reboot the system to make sure it worked. Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Hi! [Roman: originally, I sent this mail to you directly by mistake (not to the list) but didn't get any response; did it arrive at all?] On Wed, 31 Jul 2002, Roman Drahtmueller wrote:
So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy require an update of OpenSSH or of OpenSSL, or both?
Openssl. Then restart sshd:
rcsshd restart
Or, even better, reboot the system to make sure it worked.
At least on SuSE 7.2, openssh-2.9.9p2-103 does *not* dynamically link against the ssl libs; ldd `which sshd` says: libpam.so.0 => /lib/libpam.so.0 (0x4001d000) libdl.so.2 => /lib/libdl.so.2 (0x40025000) libz.so.1 => /lib/libz.so.1 (0x4002a000) libnsl.so.1 => /lib/libnsl.so.1 (0x40039000) libutil.so.1 => /lib/libutil.so.1 (0x4004f000) libc.so.6 => /lib/libc.so.6 (0x40052000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) (The "temporary update" openssh-3.3p1-6 *did* link against libcrypto.so.0.9.6...) So, if this version is vulnerable, the lib update won't fix it - do we need yet another openssh upgrade??? Martin
participants (3)
-
Alan Rouse -
Martin Köhling -
Roman Drahtmueller