Recent OpenSSL vulnerability require rebuild of OpenSSH

Jason A. Dour jason at dour.org
Wed Oct 1 21:42:08 EST 2003


On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote:
> recent openssh versions avoid the ASN.1 code
> from openssl. only reading of private
> keys uses this code, so openssh is not affected.

I don't want to beat a dead horse, but as we rely completely on
OpenSSH for our corporation, I have to ask.

Could someone PLEASE make a definitive statement here or one the
OpenSSH website regarding what, if any, versions of OpenSSH ARE
vulnerable?  If none are vulnerable, could that be stated?

All statements made thus far are not clear.  Without specifics, we
are left wondering, and wondering is not a Good Thing when it comes
to security...

Markus says "recent versions" are safe, but that is not a specific
answer, and is thus open to (mis)interpretation.



Thanks,
Jason

# "Jason A. Dour" <jason at dour.org>                  http://dour.org/




More information about the openssh-unix-dev mailing list