Recent OpenSSL vulnerability require rebuild of OpenSSH

Markus Friedl markus at
Wed Oct 1 22:09:19 EST 2003

if someone pays me, then i can check all versions.

right now i really don't have time.

On Wed, Oct 01, 2003 at 07:42:08AM -0400, Jason A. Dour wrote:
> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote:
> > recent openssh versions avoid the ASN.1 code
> > from openssl. only reading of private
> > keys uses this code, so openssh is not affected.
> I don't want to beat a dead horse, but as we rely completely on
> OpenSSH for our corporation, I have to ask.
> Could someone PLEASE make a definitive statement here or one the
> OpenSSH website regarding what, if any, versions of OpenSSH ARE
> vulnerable?  If none are vulnerable, could that be stated?
> All statements made thus far are not clear.  Without specifics, we
> are left wondering, and wondering is not a Good Thing when it comes
> to security...
> Markus says "recent versions" are safe, but that is not a specific
> answer, and is thus open to (mis)interpretation.
> Thanks,
> Jason
> # "Jason A. Dour" <jason at>        
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list