Is there any impact?
Damien Miller
djm at mindrot.org
Thu Sep 7 10:01:32 EST 2006
On Thu, 7 Sep 2006, Damien Miller wrote:
> > Is there any impact in OpenSSH build with OpenSSL 0.9.7j as OpenSSL is
> > affected by the following vulnerability
> > http://www.openssl.org/news/secadv_20060905.txt ?
>
> No, OpenSSH performs its own RSA verification which has always checked
> that the signature is not overly long. See ssh-rsa.c for details.
I should also add: OpenSSH ssh-keygen has never generated RSA keys with
exponent == 3 (we always use 35), so Bleichenbacher's new attack won't
work for our keys even if one of the endpoints suffers from the bug.
-d
More information about the openssh-unix-dev
mailing list