Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

To: debian-security@lists.debian.org
Subject: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Wed, 9 Apr 2014 14:44:05 +0300
Message-id: <[🔎] 20140409114405.GB8509@marvin.ws.skroutz.gr>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] cd338aaf511bed43638be1ac3f6a9ccb@zom.bi>
References: <[🔎] slrnlk87b1.frm.fredrik@biggles.jonson.org> <[🔎] 20140408182452.GA21089@eldamar.local> <[🔎] li3868$q27$1@ger.gmane.org> <[🔎] cd338aaf511bed43638be1ac3f6a9ccb@zom.bi>

On 13:26 Wed 09 Apr     , bsod wrote:
> Am 2014-04-09 12:42, schrieb Rob van der Putten:
> >According to a post on slashdot SSH is not effected. I don't know if
> >this is correct.
> 
> (Open-)SSH is not affected as it does not use openssl at all. Should be the
> same for other SSH daemons like dropbear as they are not using TLS in SSH
> Protocol.

Actually OpenSSH uses OpenSSL, it just does not use TLS for transport.  
OpenSSL comprises two libraries: libcrypto[1] and libssl, providing 
generic crypto facilities and transport security respectively. The 
affected functions (dtls1_process_heartbeat() and 
tls1_process_heartbeat()) reside in libssl. Software linking only 
against libcrypto.so.1.0.0[2] (which includes openssh, bind9, slapd - 
which uses GnuTLS for transport security by the way) should not be 
vulnerable, despite depending on libssl1.0.0.

[1] http://wiki.openssl.org/index.php/Libcrypto_API
[2] From [1]: "You can however use libcrypto without using libssl."

Regards,
Apollon

Reply to:

References:
- DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Fredrik Jonson <fredrik@jonson.org>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: Rob van der Putten <rob@sput.nl>
- Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
  - From: bsod <bsod@zom.bi>

Prev by Date: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Next by Date: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Previous by thread: Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Next by thread: Re: [SECURITY] [DSA 2897-1] tomcat7 security update
Index(es):
- Date
- Thread