openssh bugs - Oct 2003 - [Bug 737] CERT® Advisory CA-2003-26 - any effect on OpenSSH?

http://bugzilla.mindrot.org/show_bug.cgi?id=737

           Summary: CERT? Advisory CA-2003-26 - any effect on OpenSSH?
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: moulton at snmp.com


Please pardon me if submitting a bug report is not the correct
procedure to address this.

Is OpenSSH affected by the vulnerability in OpenSSL discussed in
http://www.cert.org/advisories/CA-2003-26.html ?  I don't find a reference
to it on the OpenSSH web site.

CERT's only discussion wrt OpenSSH is 
  .  http://www.kb.cert.org/vuls/id/AAMN-5RXR29
  .  an assertion by IBM that it does not affect OpenSSH as they distribute it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=737

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From djm at mindrot.org  2003-10-09 07:35 -------
Not significantly. For recent versions of OpenSSH, the OpenSSL ASN.1 code is
used only for loading private keys. It is not used to verify signatures coming
from the network.

For future reference: A bug tracking system is intended for reporting bugs,
please use the mailing list for questions like this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.