I can see where the confusion stems from, contradictory statements in the
cert:
Installations which used RSAREF2 in compiling ssh are vulnerable, and
we recommend recompiling without RSAREF2 if their local legal
situation permits.
In addition, the following list of software packages in the NetBSD
"packages" system are also dependent on the RSAREF2 library:
* archivers/hpack
* security/openssl
* security/pgp2
* security/pgp5
* www/ap-ssl
One has to go beyond there to get the point you refer to Chuck. Thjis is
not a situation merely of not reading, seems to be a poorly defined cert
with posted conflicts.
Thanks,
Ron Dufresne
On Tue, 14 Dec 1999 [EMAIL PROTECTED] wrote:
> >>> <[EMAIL PROTECTED]> 12/14/99 04:00AM >>>
>
> >CERT Advisory CA-99.15 - Buffer Overflows in SSH Daemon and RSAREF2
> Library.
> >Has this been fixed in the latest version of modssl ?
>
> To quote from the same CERT Advisory you reference:
>
> "OpenSSL with RSAREF is not vulnerable."
>
> Next time, please read the *entire* CERT Advisory, not just the top
> half.
>
> --Cliff
>
> Cliff Woolley
> Central Systems Software Administrator
> Washington and Lee University
> http://www.wlu.edu/~jwoolley/
>
> Work: (540) 463-8089
> Pager: (540) 462-2303
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
