Is there any impact?

Damien Miller djm at mindrot.org
Thu Sep 7 10:01:32 EST 2006


On Thu, 7 Sep 2006, Damien Miller wrote:

> > Is there any impact in OpenSSH build with OpenSSL 0.9.7j as OpenSSL is
> > affected by the following vulnerability
> > http://www.openssl.org/news/secadv_20060905.txt ?
> 
> No, OpenSSH performs its own RSA verification which has always checked
> that the signature is not overly long. See ssh-rsa.c for details.

I should also add: OpenSSH ssh-keygen has never generated RSA keys with
exponent == 3 (we always use 35), so Bleichenbacher's new attack won't
work for our keys even if one of the endpoints suffers from the bug.

-d




More information about the openssh-unix-dev mailing list