Openssl and openssh
Florian Weimer
Weimer at CERT.Uni-Stuttgart.DE
Fri Aug 2 01:08:24 EST 2002
"kumar" <kumareshind at gmx.net> writes:
> I had seen some recommendations for and against that these vulnerabilities
> affects OpenSSH.
Protocol 2 RSA public key/host based authentication calls OpenSSL's
RSA_verify, which ueses the ASN.1 parser internally. Exploiting
CAN-2002-0659 still requires that the SSH2 public key has been stored
on the SSH server, so no anonymous attacks are possible in typical
contexts.
--
Florian Weimer Weimer at CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
More information about the openssh-unix-dev
mailing list