Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Is openssh 2.9.9p2 on SuSE 7.3 secure?
  • From: Rob Osterburg <rosterbu@xxxxxxxxxxxxxxx>
  • Date: Thu, 12 Sep 2002 23:06:36 -0600
  • Message-id: <200209122306.36736.rosterbu@xxxxxxxxxxxxxxx>
> On Wed, 31 Jul 2002, Olaf Kirch wrote :
> >On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
> >> Openssh uses openssl. Is openssh vulnerable to any of the openssl
> >> exploits?
> >
> >Potentially, yes. It may be possible to trigger the ASN.1 signedness
> >bug when decoding RSA keys during/after RSA authentication. The other
> >bugs, no, because OpenSSH doesn't use SSL.
>
> At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against
> the openssl libs - so perhaps they are statically linked and thus still
> vulnerable?!?
> Or don't they use openssl at all?
> (openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl
> announcement!)
>
What command did you use to figure out the how openssh was linked? It like to
check to see which libraries are used and how they are linked in
openssh-2.9.9p2.

TIA, Rob


< Previous Next >
References