Re: RES: OpenSSL Vulnerability and OpenSSH

[Ron DuFresne <dufresne () winternet com>]

actually, there have been found other issues with OpenSSL 0.9.6e and it is
recommended that folks upgrade to the current, OpenSSL 0.9.6g.

Thanks,

Ron DuFresne


On Mon, 23 Sep 2002, Renato Araújo Ferreira wrote:

> as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all
> applications using OpenSSL to provide SSL or TLS...", i did it (apache,
> ssh)... just in case...
>
> -----Mensagem original-----
> De: Markus Friedl [mailto:markus () openbsd org]
> Enviada em: segunda-feira, 23 de setembro de 2002 11:15
> Para: nestler () speakeasy net
> Cc: vuln-dev () securityfocus com
> Assunto: Re: OpenSSL Vulnerability and OpenSSH
>
>
> On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:
> > On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler () speakeasy net wrote:
> > > > On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:
> > > > > Does anyone
> > > > > know if the same issues affecting OpenSSL on Apache will affect
> OpenSSL
> > > > > when used with OpenSSH?
> > > >
> > > > yes.
> > > >
> > > > the "issues affecting OpenSSL on Apache" do not affect OpenSSH.
> > > >
> > > > OpenSSH does not use libssl (only libcrypto).
> > >
> > > You seem to imply that all of OpenSSL's problems are in libssl,
> > > which is not the case.
> >
> > no. it does not. i just refer to "issues affecting OpenSSL on Apache".
>
> oops, i forgot to add: you should still update the OpenSSL libcrypto
> library, since it's not know how the ASN.1 bugs affect software using
> libcrypto (and OpenSSH uses libcrypto).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.