|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Köhling (mk_at_lw1.cc-computer.de)
Date: Wed Sep 11 2002 - 09:40:05 CDT
Hi!
On Thu, 5 Sep 2002, Roman Drahtmueller wrote:
> Hi Rob,
>
> >
> > Currently, I am running SuSE 7.3 on the firewall/masquerading/gateway machine
> > for my home network. I was also running openssh. That was until I ran a
> > security scan (Nessus 1.0.10) that showed the version of ssh
> > (openssh-2.9.9p2-103) to be highly vulnerable. So I read the SuSE security
> > announcements and it seems that the version I have has been patched and all
> > is well. So, I am secure running openssh 2.9.9p2? Would an updated version
>
> To our knowlege, yes.
What about the recently fixed openssl bugs?
On Wed, 31 Jul 2002, Olaf Kirch wrote :
>On Tue, Jul 30, 2002 at 09:58:43PM +0100, Graham Murray wrote:
>> Openssh uses openssl. Is openssh vulnerable to any of the openssl
>> exploits?
>
>Potentially, yes. It may be possible to trigger the ASN.1 signedness
>bug when decoding RSA keys during/after RSA authentication. The other
>bugs, no, because OpenSSH doesn't use SSL.
At least on SuSE 7.2, ssh and sshd are *not* dynamically linked against
the openssl libs - so perhaps they are statically linked and thus still
vulnerable?!?
Or don't they use openssl at all?
(openssh-2.9.9p2-103 was built on Jun 28, a month before the openssl
announcement!)
I asked this question before but got no answer... :-(
Martin
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to security
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]