Vulnerability Development mailing list archives
R: OpenSSL Vulnerability and OpenSSH
From: "Alberto Guglielmo" <a.guglielmo () tcpsas com>
Date: Mon, 23 Sep 2002 17:16:52 +0200
I would suggest: - upgrade to OpenSSL 0.9.6g (latest...) - recompile Apache+mod_ssl (mandatory) - recompile OpenSSH (prudential) - recompile PHP (4.2.2) if you use SSL in it - verify and eventually recompile Stunnel, Qpopper, etc. (all that ldd or lsof shows is using libssl.so and maybe libcrypto.so). The difficulty is with statically compiled binaries that don't show what libraries are linked-in (do you remember the bug with zlib ?) I think a defensive policy is a Good Thing and a little more effort than is necessary may pay worth Regards Alberto Guglielmo a.guglielmo<at>tcpsas.com Key Fingerprint:7EAF 9E34 2838 7C6B EE47 E8F0 FFC5 3CBC 90AA 5EEE PGP Keys at: ldap://europe.keys.pgp.com:11370 http://pgpkeys.mit.edu:11371 -----Messaggio originale----- Da: Renato Araújo Ferreira [mailto:rferreira () metrored com br] Inviato: lunedì 23 settembre 2002 16.32 A: 'Markus Friedl'; nestler () speakeasy net Cc: vuln-dev () securityfocus com Oggetto: RES: OpenSSL Vulnerability and OpenSSH as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS...", i did it (apache, ssh)... just in case... -----Mensagem original----- De: Markus Friedl [mailto:markus () openbsd org] Enviada em: segunda-feira, 23 de setembro de 2002 11:15 Para: nestler () speakeasy net Cc: vuln-dev () securityfocus com Assunto: Re: OpenSSL Vulnerability and OpenSSH On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:
On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler () speakeasy net wrote:On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:Does anyone know if the same issues affecting OpenSSL on Apache will affect
OpenSSL
when used with OpenSSH?yes. the "issues affecting OpenSSL on Apache" do not affect OpenSSH. OpenSSH does not use libssl (only libcrypto).You seem to imply that all of OpenSSL's problems are in libssl, which is not the case.no. it does not. i just refer to "issues affecting OpenSSL on Apache".
oops, i forgot to add: you should still update the OpenSSL libcrypto library, since it's not know how the ASN.1 bugs affect software using libcrypto (and OpenSSH uses libcrypto).
Current thread:
- R: OpenSSL Vulnerability and OpenSSH Alberto Guglielmo (Sep 23)