OpenSSL vulnerability...

Markus Friedl markus at
Wed Oct 1 06:41:27 EST 2003

On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at wrote:
> Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the 
> OpenSSL vulnerabilities announced today?    Namely the ASN.1 parsing 
> problem and the malformed key bugs?

no, we avoid the OpenSSL ASN.1 code for signature verification
and we don't support x509.

only reading of _private_ keys triggers the ASN.1 code
in OpenSSH.

More information about the openssh-unix-dev mailing list