RES: OpenSSL Vulnerability and OpenSSH

[Renato Araújo Ferreira <rferreira () metrored com br>]

as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all
applications using OpenSSL to provide SSL or TLS...", i did it (apache,
ssh)... just in case...

-----Mensagem original-----
De: Markus Friedl [mailto:markus () openbsd org]
Enviada em: segunda-feira, 23 de setembro de 2002 11:15
Para: nestler () speakeasy net
Cc: vuln-dev () securityfocus com
Assunto: Re: OpenSSL Vulnerability and OpenSSH


On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:
> On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler () speakeasy net wrote:
> > > On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:
> > > > Does anyone
> > > > know if the same issues affecting OpenSSL on Apache will affect
OpenSSL
> > > > when used with OpenSSH?
> > >
> > > yes.
> > >
> > > the "issues affecting OpenSSL on Apache" do not affect OpenSSH.
> > >
> > > OpenSSH does not use libssl (only libcrypto).
> >
> > You seem to imply that all of OpenSSL's problems are in libssl,
> > which is not the case.
>
> no. it does not. i just refer to "issues affecting OpenSSL on Apache".

oops, i forgot to add: you should still update the OpenSSL libcrypto
library, since it's not know how the ASN.1 bugs affect software using
libcrypto (and OpenSSH uses libcrypto).