On Fri, May 16, 2008 at 1:47 PM, MoRpHeUz <[EMAIL PROTECTED]> wrote: > Hi, > > On Fri, May 16, 2008 at 2:17 PM, Andrew Daviel <[EMAIL PROTECTED]> wrote: >> I wondered if Maemo had inherited this problem. > > The advisories says that the versions of openssl affected are > 0.9.8c-1 up to 0.9.8g-9. On my tablets, the version installed is 0.9.7
AFAIK the actual issue is that keys *generated* on a afftected system are vulnerable. Therefore, if you happened to generate a private/public key pair on a host system with the affected openssl library and added the public key to the device's /root/.ssh/authorized_keys, then the device is susceptible to remote brute force attack [1]. Of course this requires the following: - the device be in RD mode (not sure) - openssh server package installed and enabled - you manually copied a vulnerable public SSH key to the device's /root/.ssh/authorized_keys [1] http://seclists.org/fulldisclosure/2008/May/0410.html Regards, -- Anderson Lizardo Instituto Nokia de Tecnologia (INdT) Manaus - Brazil _______________________________________________ maemo-developers mailing list [email protected] https://lists.maemo.org/mailman/listinfo/maemo-developers
