| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1397239010.71504.YahooMailNeo@web122304.mail.ne1.yahoo.com> Date: Fri, 11 Apr 2014 10:56:50 -0700 (PDT) From: Carlos P <charly_en_el_trabajo@...oo.com> To: "Brandon Vincent \(Student\)" <Brandon.Vincent@....edu> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 >> As a general rule of thumb for this vulnerability, any binary/service dynamically linked to libssl.so should be considered compromised. and you have to add what is statically linked and keep track of every php/ruby/python/whatever scripts, don't you? El día jueves, 10 de abril de 2014 15:44, Brandon Vincent (Student) <Brandon.Vincent@....edu> escribió: Partly true. OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd will reveal the presence of libcrypto.so), but this is for generating and utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension of TLS and since the SSH protocol does not use SSL/TLS, you should be fine. As a general rule of thumb for this vulnerability, any binary/service dynamically linked to libssl.so should be considered compromised. Brandon Vincent -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf Of Walt Williams Sent: Wednesday, April 09, 2014 6:24 PM To: Rob van der Putten Cc: fulldisclosure@...lists.org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 SSH does not usually use OpenSSL libraries, so no. Walt Williams sent from my iPhone Typos likely > On Apr 9, 2014, at 3:57, Rob van der Putten <rob@...t.nl> wrote: > > Hi there > > > Tim Schütt wrote: > >> Nope, works also on other protocols like IMAPS. > > I generated new keys for Apache, Asterisk, Exim and Imap and restarted these services. > So how about SSH? Do I need to generate new keys for SSH as well? > > > Regards, > Rob > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists