OpenSSL vulnerability...
Asif Iqbal
iqbala at qwestip.net
Fri Oct 3 06:32:56 EST 2003
On Tue, 30 Sep 2003, Markus Friedl wrote:
> On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote:
> > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the
> > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing
> > problem and the malformed key bugs?
>
> no, we avoid the OpenSSL ASN.1 code for signature verification
> and we don't support x509.
>
> only reading of _private_ keys triggers the ASN.1 code
> in OpenSSH.
Does this statement encompass login with RSA keys ?
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
Asif Iqbal
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
There's no place like 127.0.0.1
More information about the openssh-unix-dev
mailing list