On 13:26 Wed 09 Apr , bsod wrote: > Am 2014-04-09 12:42, schrieb Rob van der Putten: > >According to a post on slashdot SSH is not effected. I don't know if > >this is correct. > > (Open-)SSH is not affected as it does not use openssl at all. Should be the > same for other SSH daemons like dropbear as they are not using TLS in SSH > Protocol.
Actually OpenSSH uses OpenSSL, it just does not use TLS for transport. OpenSSL comprises two libraries: libcrypto[1] and libssl, providing generic crypto facilities and transport security respectively. The affected functions (dtls1_process_heartbeat() and tls1_process_heartbeat()) reside in libssl. Software linking only against libcrypto.so.1.0.0[2] (which includes openssh, bind9, slapd - which uses GnuTLS for transport security by the way) should not be vulnerable, despite depending on libssl1.0.0. [1] http://wiki.openssl.org/index.php/Libcrypto_API [2] From [1]: "You can however use libcrypto without using libssl." Regards, Apollon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
