OpenSSL
Kastus Shchuka
macports at tprfct.net
Tue Apr 8 11:49:30 PDT 2014
On Apr 8, 2014, at 11:31 AM, Niels Dettenbach wrote:
> Am Dienstag, 8. April 2014, 20:03:30 schrieb Harald Hanche-Olsen:
>> But ssh does not use the openssl libraries, so there is no point, as
>> this bug will not have exposed the ssh host keys.
> hmm,
> i'm not deep into the OpenSSH developement yet, but i thought that OpenSSH
> does even use (or at least implements part of a current) OpenSSL?
>
> ssh -v somehost:
> ...
> OpenSSH_6.6, OpenSSL 1.0.1g 7 Apr 2014
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to abc.de.tld [1.2.3.4] port 22.
> debug1: Connection established.
> ...
>
> But as far as i can read til now OpenSSH uses OpenSSL code not related to
> TLS/SSL or the ASN.1 parser which is affected here - but yesterday and today
> some distributors gave openssh updates in parallel regarding another security
> hole in OpenSSH (i.e. Debian) including a new host key generation.
>
I am not sure what the problem with those distros is, but according to http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch
``Only SSL/TLS services are affected. Software that uses libcrypto alone
is not affected. In particular, ssh/sshd are not affected and there
is no need to regenerate SSH host keys that have not otherwise been
exposed.''
-Kastus
More information about the macports-users
mailing list