confusion over RSAref vul w/OpenSS[HL]

Chris Saia csaia at
Sun Dec 5 08:16:24 EST 1999


  The string  of notices on  BugTraq about  RSAref being vulnerable to
  overflows  has me concerned.  After  trying  to sort through all the
  messages, I  can't figure out  whether I need   to update OpenSSL (a
  check of their website indicates no  new patches), OpenSSH, both, or
  neither.  I am aware there is no known exploit for it yet.

  I could be a bad boy and just run all the code without RSAref, given
  that my  software builds  will   probably outlast the   (ridiculous)
  software  patent, which expires in 10  months.  However,  I figure I
  best pursue a legitimate [legal] solution first.

  What's the deal?

  "Burned in Boston"

   csaia at, WTnet IRC Administrator -
    GNU Privacy Guard Public Key information is available at the above URL.

More information about the openssh-unix-dev mailing list