Recent OpenSSL vulnerability require rebuild of OpenSSH
Markus Friedl
markus at openbsd.org
Wed Oct 1 22:09:19 EST 2003
if someone pays me, then i can check all versions.
right now i really don't have time.
On Wed, Oct 01, 2003 at 07:42:08AM -0400, Jason A. Dour wrote:
> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote:
> > recent openssh versions avoid the ASN.1 code
> > from openssl. only reading of private
> > keys uses this code, so openssh is not affected.
>
> I don't want to beat a dead horse, but as we rely completely on
> OpenSSH for our corporation, I have to ask.
>
> Could someone PLEASE make a definitive statement here or one the
> OpenSSH website regarding what, if any, versions of OpenSSH ARE
> vulnerable? If none are vulnerable, could that be stated?
>
> All statements made thus far are not clear. Without specifics, we
> are left wondering, and wondering is not a Good Thing when it comes
> to security...
>
> Markus says "recent versions" are safe, but that is not a specific
> answer, and is thus open to (mis)interpretation.
>
>
>
> Thanks,
> Jason
>
> # "Jason A. Dour" <jason at dour.org> http://dour.org/
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list