openssh unix dev - Oct 2003 - Recent OpenSSL vulnerability require rebuild of OpenSSH

We have OpenSSH built against a static version of the OpenSSL library.
Do the recent OpenSSL vulnerabilities necessitate a rebuild of
OpenSSH?
  http://www.openssl.org/news/secadv_20030930.txt
>From the description of the four bugs, I'm inclined to think not.
-- 
albert chin (china at thewrittenword.com)

recent openssh versions avoid the ASN.1 code
from openssl. only reading of private
keys uses this code, so openssh is not affected.

On Tue, Sep 30, 2003 at 09:01:19PM -0500, Albert Chin
wrote:
> We have OpenSSH built against a static version of the OpenSSL library.
> Do the recent OpenSSL vulnerabilities necessitate a rebuild of
> OpenSSH?
>   http://www.openssl.org/news/secadv_20030930.txt
> 
> >From the description of the four bugs, I'm inclined to think not.
> 
> -- 
> albert chin (china at thewrittenword.com)
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl
wrote:
> recent openssh versions avoid the ASN.1 code
> from openssl. only reading of private
> keys uses this code, so openssh is not affected.
s/recent openssh versions/OpenSSH >= 3.5/

On Wed, Oct 01, 2003 at 06:55:50PM +0200, Markus Friedl
wrote:
> On Wed, Oct 01, 2003 at 11:24:50AM +0200, Markus Friedl wrote:
> > recent openssh versions avoid the ASN.1 code
> > from openssl. only reading of private
> > keys uses this code, so openssh is not affected.
> 
> s/recent openssh versions/OpenSSH >= 3.5/
Thank you.  8)


Cheers,
Jason

A DoS attack in the ASN.1 code would only affect the child process
anyway, would it not?

Mike Stone

On Wed, Oct 01, 2003 at 05:32:17PM -0400, Michael Stone
wrote:
> A DoS attack in the ASN.1 code would only affect the child process
> anyway, would it not?
yes, it would not affect the listening process.