Openssl and openssh
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Mon Aug 5 19:17:58 EST 2002
On Thu, Aug 01, 2002 at 05:08:24PM +0200, Florian Weimer wrote:
> "kumar" <kumareshind at gmx.net> writes:
>
> > I had seen some recommendations for and against that these vulnerabilities
> > affects OpenSSH.
>
> Protocol 2 RSA public key/host based authentication calls OpenSSL's
> RSA_verify, which ueses the ASN.1 parser internally. Exploiting
> CAN-2002-0659 still requires that the SSH2 public key has been stored
> on the SSH server, so no anonymous attacks are possible in typical
> contexts.
we will probably try this in the future:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-rsa.c.diff?r1=1.24&r2=1.25
More information about the openssh-unix-dev
mailing list