Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution

Am Mittwoch, 10. Oktober 2007 19:59 schrieb Noah Meyerhans:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1379-2 security@debian.org
> http://www.debian.org/security/ Noah Meyerhans
> October 10, 2007
> ------------------------------------------------------------------------
>
> Package : openssl097, openssl096
> Vulnerability : off-by-one error/buffer overflow
> Problem type : remote
> Debian-specific: no
> CVE Id(s) : CVE-2007-5135
> Debian Bug : 444435
>
> An off-by-one error has been identified in the SSL_get_shared_ciphers()
> routine in OpenSSL, an implementation of Secure Socket Layer
> cryptographic libraries and utilities. This error could allow an
> attacker to crash an application making use of OpenSSL's libssl library,
> or potentially execute arbitrary code in the security context of the
> user running such an application.
>
> This update to DSA 1379 announces the availability of the libssl0.9.6
> and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch
> (stable), respectively.
>
> We recommend that you upgrade your openssl097 and openssl096 packages.

Hello,

I didn’t update my OpenSSL packages until now since I assumed that OpenSSL is not used on my machine. I was surprised that during updating OpenSSL, it was suggested to restart SSH since SSH was said to be dependent on OpenSSL. In what way does SSH depend on OpenSSL? Under which circumstances do the security holes of OpenSSL cause security issues with SSH?

Thank you for any help.

Best regards,
Wolfgang Jeltsch Received on Thu Oct 11 06:19:56 2007