Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
From: Christoph Moench-Tegeder <cmt@burggraben.net>
Date: Thu, 11 Oct 2007 12:37:40 +0200
Message-id: <[🔎] 20071011103740.GB1196@elch.haidundneu23.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200710111202.06124.7o2lccqg@acme.softbase.org>
References: <E1Iffq5-0003Gg-Aw@klecker.debian.org> <[🔎] 200710111202.06124.7o2lccqg@acme.softbase.org>

## Wolfgang Jeltsch (7o2lccqg@acme.softbase.org):

>  I was surprised that during updating OpenSSL, it was 
> suggested to restart SSH since SSH was said to be dependent on OpenSSL.  In 
> what way does SSH depend on OpenSSL?

OpenSSH is linked against libcrypto (see ldd).

> Under which circumstances do the 
> security holes of OpenSSL cause security issues with SSH?

As this is a bug in libssl, ssh is possibly not affected. I can't see
how ssh could ever get into SSL_get_shared_ciphers() either, but then
again I didn't track through all of ssh's source code.

Regards
Christoph

-- 
Spare Space

Reply to:

References:
- Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
  - From: Wolfgang Jeltsch <7o2lccqg@acme.softbase.org>

Prev by Date: Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
Next by Date: Our foregoers the mere words a.
Previous by thread: Re: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
Next by thread: Our foregoers the mere words a.
Index(es):
- Date
- Thread