| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <586745645D88D740AF5C0346EF5AB800169964FC@exmbw03.asurite.ad.asu.edu> Date: Thu, 10 Apr 2014 16:20:30 +0000 From: "Brandon Vincent (Student)" <Brandon.Vincent@....edu> To: Walt Williams <walt.williams@...il.com>, Rob van der Putten <rob@...t.nl> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 Partly true. OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd will reveal the presence of libcrypto.so), but this is for generating and utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension of TLS and since the SSH protocol does not use SSL/TLS, you should be fine. As a general rule of thumb for this vulnerability, any binary/service dynamically linked to libssl.so should be considered compromised. Brandon Vincent -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf Of Walt Williams Sent: Wednesday, April 09, 2014 6:24 PM To: Rob van der Putten Cc: fulldisclosure@...lists.org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 SSH does not usually use OpenSSL libraries, so no. Walt Williams sent from my iPhone Typos likely > On Apr 9, 2014, at 3:57, Rob van der Putten <rob@...t.nl> wrote: > > Hi there > > > Tim Schütt wrote: > >> Nope, works also on other protocols like IMAPS. > > I generated new keys for Apache, Asterisk, Exim and Imap and restarted these services. > So how about SSH? Do I need to generate new keys for SSH as well? > > > Regards, > Rob > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists