openssh unix dev - Jul 2002 - openssl+openssh

On second thought...at which point in the code does openssh use openssl?  
Would this take place while the "little guy" is jailed off in some
obscure
non-root location?  If that's the case, then do we have to worry about the
ssl bug in privsep'd installations?  To what extent do we even need to 
worry about the openssl problem?

--Eric

Hi,

On Tue, Jul 30, 2002 at 02:51:21PM +0000, ew-ssh at kegger.national-security.net
wrote:
>   On second thought...at which point in the code does openssh use openssl?
> Would this take place while the "little guy" is jailed off in
some obscure
> non-root location?  If that's the case, then do we have to worry about
the
> ssl bug in privsep'd installations?  To what extent do we even need to 
> worry about the openssl problem?
PrivSep can prevent a remote break-in with file system access.

What PrivSep can not prevent is a break-in with network access from the
insecure host - which could then be abused for DDOS or SPAM relaying or
other attacks based on things that this machine can do in the network that
an "outside" machine can't do.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert.doering at
physik.tu-muenchen.de