Is there any impact?

Damien Miller djm at
Thu Sep 7 10:01:32 EST 2006

On Thu, 7 Sep 2006, Damien Miller wrote:

> > Is there any impact in OpenSSH build with OpenSSL 0.9.7j as OpenSSL is
> > affected by the following vulnerability
> > ?
> No, OpenSSH performs its own RSA verification which has always checked
> that the signature is not overly long. See ssh-rsa.c for details.

I should also add: OpenSSH ssh-keygen has never generated RSA keys with
exponent == 3 (we always use 35), so Bleichenbacher's new attack won't
work for our keys even if one of the endpoints suffers from the bug.


More information about the openssh-unix-dev mailing list