On Wed, 31 Jul 2002, Olaf Kirch wrote :
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.
At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against the openssl libs - so perhaps they are statically linked and thus still vulnerable?!? Or don't they use openssl at all? (openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl announcement!)
What command did you use to figure out the how openssh was linked? It like to check to see which libraries are used and how they are linked in openssh-2.9.9p2. TIA, Rob