Vulnerability Development mailing list archives
Re: RES: OpenSSL Vulnerability and OpenSSH
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 23 Sep 2002 10:20:11 -0500 (CDT)
actually, there have been found other issues with OpenSSL 0.9.6e and it is recommended that folks upgrade to the current, OpenSSL 0.9.6g. Thanks, Ron DuFresne On Mon, 23 Sep 2002, Renato Araújo Ferreira wrote:
as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS...", i did it (apache, ssh)... just in case... -----Mensagem original----- De: Markus Friedl [mailto:markus () openbsd org] Enviada em: segunda-feira, 23 de setembro de 2002 11:15 Para: nestler () speakeasy net Cc: vuln-dev () securityfocus com Assunto: Re: OpenSSL Vulnerability and OpenSSH On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler () speakeasy net wrote:On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:Does anyone know if the same issues affecting OpenSSL on Apache will affectOpenSSLwhen used with OpenSSH?yes. the "issues affecting OpenSSL on Apache" do not affect OpenSSH. OpenSSH does not use libssl (only libcrypto).You seem to imply that all of OpenSSL's problems are in libssl, which is not the case.no. it does not. i just refer to "issues affecting OpenSSL on Apache".oops, i forgot to add: you should still update the OpenSSL libcrypto library, since it's not know how the ASN.1 bugs affect software using libcrypto (and OpenSSH uses libcrypto).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- RES: OpenSSL Vulnerability and OpenSSH Renato Araújo Ferreira (Sep 23)
- Re: RES: OpenSSL Vulnerability and OpenSSH Ron DuFresne (Sep 23)