Fw: version question

Damien Miller djm at mindrot.org
Fri Nov 21 14:19:41 EST 2014


On Thu, 20 Nov 2014, Nico Kadel-Garcia wrote:

> On Thu, Nov 20, 2014 at 9:31 PM, Damien Miller <djm at mindrot.org>
> wrote: > On Wed, 19 Nov 2014, Nico Kadel-Garcia wrote: > >> Use
> 6.6p1, or consider patching the check for openssl version in >>
> openbsd-compat/openssl-compat.h to ignore the failure, on the basis >>
> that RHEL has been backporting patches to openssl for RHEL 5.. > > Do
> you understand why that check exists in the first place?
>
> That's why I asked.

Maybe you should ask _before_ recommending people disable checks in
their security software.

> A bit more digging shows that the HeartBleed bug apparently never
> applied to 0.9.8 versions of OpenSSL, the version used in RHEL 5, so
> that shouldn't be an issue there. OpenSSH version 6.6 was indeed,
> compatible with that older OpenSSL on RHEL 5, I even just tested its
> basic functionalit, so I assume it's not a major API incompatibility
> introduced with OpenSSH 6.7p1.

It has nothing to do with heartbleed - that is an SSL bug that doesn't
affect OpenSSH at all.

OpenSSL made a small API change in their 0.9.8 stable series that we
previously carried a compat hack for. The impact of not having this hack
is that EVP_CIPHER_CTX_key_length() returns an incorrect length. This
could cause connection problems or possibly insecurity in sshd.

-d


More information about the openssh-unix-dev mailing list