Re: heartbleed OpenSSL bug CVE-2014-0160

["Brandon Vincent (Student)" <Brandon.Vincent () asu edu>]

Partly true.

OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd will reveal the presence of 
libcrypto.so), but this is for generating and utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension 
of TLS and since the SSH protocol does not use SSL/TLS, you should be fine.

As a general rule of thumb for this vulnerability, any binary/service dynamically linked to libssl.so should be 
considered compromised.

Brandon Vincent

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of Walt Williams
Sent: Wednesday, April 09, 2014 6:24 PM
To: Rob van der Putten
Cc: fulldisclosure () seclists org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

SSH does not usually use OpenSSL libraries, so no.

Walt Williams
sent from my iPhone
Typos likely

> On Apr 9, 2014, at 3:57, Rob van der Putten <rob () sput nl> wrote:
>
> Hi there
>
>
> Tim Schütt wrote:
>
> > Nope, works also on other protocols like IMAPS.
>
> I generated new keys for Apache, Asterisk, Exim and Imap and restarted these services.
> So how about SSH? Do I need to generate new keys for SSH as well?
>
>
> Regards,
> Rob
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/