Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
  • From: Martin Köhling <mk@xxxxxxxxxxxxxxxxxx>
  • Date: Fri, 9 Aug 2002 11:59:40 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0208091153380.7782-100000@xxxxxxxxxxxxxxxxxx>
Hi!

[Roman: originally, I sent this mail to you directly by mistake (not to
the list) but didn't get any response; did it arrive at all?]

On Wed, 31 Jul 2002, Roman Drahtmueller wrote:

> >
> > So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy
> > require an update of OpenSSH or of OpenSSL, or both?
>
> Openssl. Then restart sshd:
>
> rcsshd restart
>
> Or, even better, reboot the system to make sure it worked.

At least on SuSE 7.2, openssh-2.9.9p2-103 does *not* dynamically link
against the ssl libs; ldd `which sshd` says:

libpam.so.0 => /lib/libpam.so.0 (0x4001d000)
libdl.so.2 => /lib/libdl.so.2 (0x40025000)
libz.so.1 => /lib/libz.so.1 (0x4002a000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40039000)
libutil.so.1 => /lib/libutil.so.1 (0x4004f000)
libc.so.6 => /lib/libc.so.6 (0x40052000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

(The "temporary update" openssh-3.3p1-6 *did* link against
libcrypto.so.0.9.6...)

So, if this version is vulnerable, the lib update won't fix it - do we
need yet another openssh upgrade???

Martin


< Previous Next >
This Thread
  • No further messages