Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

R: OpenSSL Vulnerability and OpenSSH

From: "Alberto Guglielmo" <a.guglielmo () tcpsas com>
Date: Mon, 23 Sep 2002 17:16:52 +0200
I would suggest:
- upgrade to OpenSSL 0.9.6g (latest...)
- recompile Apache+mod_ssl (mandatory)
- recompile OpenSSH (prudential)
- recompile PHP (4.2.2) if you use SSL in it
- verify and eventually recompile Stunnel, Qpopper, etc. (all that ldd or
lsof shows is using libssl.so and maybe libcrypto.so).
The difficulty is with statically compiled binaries that don't show what
libraries are linked-in (do you remember the bug with zlib ?)
I think a defensive policy is a Good Thing and a little more effort than is
necessary may pay worth
Regards

Alberto Guglielmo
a.guglielmo<at>tcpsas.com
Key Fingerprint:7EAF 9E34 2838 7C6B EE47  E8F0 FFC5 3CBC 90AA 5EEE
PGP Keys at:
ldap://europe.keys.pgp.com:11370
http://pgpkeys.mit.edu:11371


-----Messaggio originale-----
Da: Renato Araújo Ferreira [mailto:rferreira () metrored com br]
Inviato: lunedì 23 settembre 2002 16.32
A: 'Markus Friedl'; nestler () speakeasy net
Cc: vuln-dev () securityfocus com
Oggetto: RES: OpenSSL Vulnerability and OpenSSH


as the advisory said: "...upgrade to OpenSSL 0.9.6e. Recompile all
applications using OpenSSL to provide SSL or TLS...", i did it (apache,
ssh)... just in case...

-----Mensagem original-----
De: Markus Friedl [mailto:markus () openbsd org]
Enviada em: segunda-feira, 23 de setembro de 2002 11:15
Para: nestler () speakeasy net
Cc: vuln-dev () securityfocus com
Assunto: Re: OpenSSL Vulnerability and OpenSSH


On Mon, Sep 23, 2002 at 10:24:53AM +0200, Markus Friedl wrote:

On Sat, Sep 21, 2002 at 09:43:48AM -0700, nestler () speakeasy net wrote:

On Fri, Sep 20, 2002 at 09:05:59AM -0400, Eric Maiwald wrote:

Does anyone
know if the same issues affecting OpenSSL on Apache will affect

OpenSSL

when used with OpenSSH?


yes.

the "issues affecting OpenSSL on Apache" do not affect OpenSSH.

OpenSSH does not use libssl (only libcrypto).


You seem to imply that all of OpenSSL's problems are in libssl,
which is not the case.


no. it does not. i just refer to "issues affecting OpenSSL on Apache".


oops, i forgot to add: you should still update the OpenSSL libcrypto
library, since it's not know how the ASN.1 bugs affect software using
libcrypto (and OpenSSH uses libcrypto).
Previous By Date Next
Previous By Thread Next

Current thread: