Once upon a time, Matt Barton <[EMAIL PROTECTED]> said: > On Tue, 30 Jul 2002, Menno M Jansz wrote: > > Just saw the following: > > > > http://pkgmaster.com/packages/raq/4/#openssh > > Eh .... OpenSSL and OpenSSH are totally different things.
Yes, but OpenSSH uses the OpenSSL libraries for the encryption routines. I'm not sure at this point if OpenSSH uses any of the vulnerable routines from the OpenSSL libraries (I'm pretty sure that it doesn't use some of them, but I don't know about the rest). However, starting with the RaQ3, Cobalt included the OpenSSL libraries as part of the RaQ and used OpenSSL to build Apache with SSL support. There were also both Cobalt and third-party SSL servers available for previous RaQs. All of those definately are vulnerable to the newly found holes, as well as some previous ones (the Apache SSL module also had some security holes found recently that have not been addressed on Cobalt products). Sun/Cobalt needs to release an update for every RaQ server that supports SSL with updated versions of the SSL module and the OpenSSL libraries. -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
