Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Is openssh 2.9.9p2 on SuSE 7.3 secure?
  • From: Martin Köhling <mk@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 11 Sep 2002 16:40:05 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0209111427150.13514-100000@xxxxxxxxxxxxxxxxxx>
Hi!

On Thu, 5 Sep 2002, Roman Drahtmueller wrote:

> Hi Rob,
>
> >
> > Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine
> > for my home network. I was also running openssh. That was until I ran a
> > security scan (Nessus 1.0.10) that showed the version of ssh
> > (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security
> > announcements and it seems that the version I have has been patched and all
> > is well. So, I am secure running openssh 2.9.9p2? Would an updated version
>
> To our knowlege, yes.

What about the recently fixed openssl bugs?

On Wed, 31 Jul 2002, Olaf Kirch wrote :

>On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
>> Openssh uses openssl. Is openssh vulnerable to any of the openssl
>> exploits?
>
>Potentially, yes. It may be possible to trigger the ASN.1 signedness
>bug when decoding RSA keys during/after RSA authentication. The other
>bugs, no, because OpenSSH doesn't use SSL.

At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against
the openssl libs - so perhaps they are statically linked and thus still
vulnerable?!?
Or don't they use openssl at all?
(openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl
announcement!)

I asked this question before but got no answer... :-(

Martin


< Previous Next >
Follow Ups
References