Hi! On Thu, 5 Sep 2002, Roman Drahtmueller wrote:
Hi Rob,
Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine for my home network. I was also running openssh. That was until I ran a security scan (Nessus 1.0.10) that showed the version of ssh (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security announcements and it seems that the version I have has been patched and all is well. So, I am secure running openssh 2.9.9p2? Would an updated version
To our knowlege, yes.
What about the recently fixed openssl bugs? On Wed, 31 Jul 2002, Olaf Kirch wrote :
On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
Openssh uses openssl. Is openssh vulnerable to any of the openssl exploits?
Potentially, yes. It may be possible to trigger the ASN.1 signedness bug when decoding RSA keys during/after RSA authentication. The other bugs, no, because OpenSSH doesn't use SSL.
At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against the openssl libs - so perhaps they are statically linked and thus still vulnerable?!? Or don't they use openssl at all? (openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl announcement!) I asked this question before but got no answer... :-( Martin