Re: SSL vs. SSH in the context of CVE 2014-0160

Wed, 09 Apr 2014 08:06:36 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/04/14 03:08, Chris Hill wrote:
> (Meant to post this on OpenSSL dev, but sent it to user in error,
> although I am getting some good answers there as well).
> 
> Team, I am having a discussions with a few friends about why this
> OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO
> basic for many of you (apologize in advance), but can't think of
> any other way to prove my point other than speaking to the folks
> who really know (that's u). Or maybe I am the one wrong, wouldn't
> be the first time ;).

OpenSSH uses libcrypto but not libssl. This vulnerability is in libssl.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBCAAGBQJTRV+RAAoJEG6FTA+q1M6kqHcP+KbatymYMKD6VapINHaQ3JEJ
NOMKf+GSRZVjsragZI23K7Y+Z49EKTAKgJx91nUoH5j0TIhUNJWDvcU+vJU8PhXK
OHN18wBDPNuwQGyjL4S8Kmy8fSFbt4AR5SmRxOavJXU9XGy4/0rL/GVaysL8HvTO
odLxM14w4ArQV0UZ9ETDALL91TI6H85OJxc/ldQQd/QxuR/vzfwGpvqkaLT8jujB
wSxzXxajxG1gSB/NdP8B4tYyTN/bh20tROiPhLFiiIwLLCcbyHAdfbnzepYHJMXf
tqIZWHLALBUnsSbF+PE9AzFRv9k9ncAMlLbXfH4+oIH1ks5DVoVoZXUeU8uSsKrE
k06RpbxVF+ewxsSKrj6M1Ty95EvNS95vmFjWaFlnvCvLmfozec0tU05fnqbONzKV
Eb4Gf02E5Ht14VmT6Vh+PQAVQlfk/egmvepHcs6o4zMFghY1fSOe8lE2DwEN88KD
tXSud2DdSiwHnHRO3uiXAQqpc4YigtOxhtxtPw5dO+Gj8trFzECPhg7oa0tHjMWu
onda+2NELMx6Q87nNyMeMAQcrEh4xdfZGiid4x/cDVkBEx88hKqK470EL2Qu7PjP
KADlkE6LuG/URUIkd82UrvWzbJ96LTsgmWENnWzh9CrIaNnGzATOKWJO4u2yioNE
/Ip1ALD6n8MYPFLXNAA=
=X9YG
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to