So, if I'm using OpenSSH but (otherwise) not OpenSSL, will my remedy
require an update of OpenSSH or of OpenSSL, or both?

-----Original Message-----
From: Olaf Kirch [mailto:okirsuse.de]
Sent: Wednesday, July 31, 2002 4:14 AM
To: Graham Murray
Cc: suse-securitysuse.com
Subject: Re: [suse-security] SuSE Security Announcement: openssl
(SuSE-SA:2002:027)

On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
> Openssh uses openssl. Is openssh vulnerable to any of the openssl
> exploits?

Potentially, yes. It may be possible to trigger the ASN.1 signedness
bug when decoding RSA keys during/after RSA authentication. The other
bugs, no, because OpenSSH doesn't use SSL.

Olaf

-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okirsuse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann
-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]