OpenSSL
Brandon Allbery
allbery.b at gmail.com
Tue Apr 8 12:44:06 PDT 2014
On Tue, Apr 8, 2014 at 2:49 PM, Kastus Shchuka <macports at tprfct.net> wrote:
>
> On Apr 8, 2014, at 11:31 AM, Niels Dettenbach wrote:
> > But as far as i can read til now OpenSSH uses OpenSSL code not related to
> > TLS/SSL or the ASN.1 parser which is affected here - but yesterday and
> today
> > some distributors gave openssh updates in parallel regarding another
> security
> > hole in OpenSSH (i.e. Debian) including a new host key generation.
>
> I am not sure what the problem with those distros is, but according to
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch
>
> ``Only SSL/TLS services are affected. Software that uses libcrypto alone
> is not affected. In particular, ssh/sshd are not affected and there
> is no need to regenerate SSH host keys that have not otherwise been
> exposed.''
>
I don't know why the openssh issues would require a new key. One is related
to AcceptEnv processing and the other to ssh fingerprints over DNS; as far
as I can tell, the latter cannot compromise a host or user private key.
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-users/attachments/20140408/2f7e1a23/attachment.html>
More information about the macports-users
mailing list