OpenSSL vulnerability...
Markus Friedl
markus at openbsd.org
Sun Oct 5 00:57:59 EST 2003
On Fri, Oct 03, 2003 at 02:06:51AM -0400, Asif Iqbal wrote:
> On Thu, 2 Oct 2003, Asif Iqbal wrote:
>
> > On Tue, 30 Sep 2003, Markus Friedl wrote:
> >
> > > On Tue, Sep 30, 2003 at 12:06:30PM -0500, hayward at slothmud.org wrote:
> > > > Does OpenSSH use OpenSSL in a way in which it would be vulnerable to the
> > > > OpenSSL vulnerabilities announced today? Namely the ASN.1 parsing
> > > > problem and the malformed key bugs?
> > >
> > > no, we avoid the OpenSSL ASN.1 code for signature verification
> > > and we don't support x509.
> > >
> > > only reading of _private_ keys triggers the ASN.1 code
> > > in OpenSSH.
> >
> > Does this statement encompass login with RSA keys ?
>
> In other words does this vulnerability of OpenSSL makes RSA Key Authentication
> in OpenSSH vulnerable as well ?
no. i wrote:
we avoid the OpenSSL ASN.1 code for signature verification
More information about the openssh-unix-dev
mailing list