Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
On 13:26 Wed 09 Apr , bsod wrote:
> Am 2014-04-09 12:42, schrieb Rob van der Putten:
> >According to a post on slashdot SSH is not effected. I don't know if
> >this is correct.
>
> (Open-)SSH is not affected as it does not use openssl at all. Should be the
> same for other SSH daemons like dropbear as they are not using TLS in SSH
> Protocol.
Actually OpenSSH uses OpenSSL, it just does not use TLS for transport.
OpenSSL comprises two libraries: libcrypto[1] and libssl, providing
generic crypto facilities and transport security respectively. The
affected functions (dtls1_process_heartbeat() and
tls1_process_heartbeat()) reside in libssl. Software linking only
against libcrypto.so.1.0.0[2] (which includes openssh, bind9, slapd -
which uses GnuTLS for transport security by the way) should not be
vulnerable, despite depending on libssl1.0.0.
[1] http://wiki.openssl.org/index.php/Libcrypto_API
[2] From [1]: "You can however use libcrypto without using libssl."
Regards,
Apollon
Reply to: