Hosting Provided By

Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution

From: Christoph Moench-Tegeder <cmt(at)burggraben.net>
Date: Thu Oct 11 2007 - 06:37:40 EDT

## Wolfgang Jeltsch (7o2lccqg@acme.softbase.org):

> I was surprised that during updating OpenSSL, it was
> suggested to restart SSH since SSH was said to be dependent on OpenSSL. In
> what way does SSH depend on OpenSSL?

OpenSSH is linked against libcrypto (see ldd).

> Under which circumstances do the
> security holes of OpenSSL cause security issues with SSH?

As this is a bug in libssl, ssh is possibly not affected. I can't see how ssh could ever get into SSL_get_shared_ciphers() either, but then again I didn't track through all of ssh's source code.

Regards
Christoph

-- 
Spare Space


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Thu Oct 11 06:38:25 2007

This message: [ Message body ]
Next message: Gustavo Bynum: "Our foregoers the mere words a."
Previous message: Wolfgang Jeltsch: "Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution"
In reply to: Wolfgang Jeltsch: "Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:11 EDT