[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] new openssl vulnerabilities

Subject: Re: [cobalt-security] new openssl vulnerabilities
From: "Stephen Rice" <support@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jul 2002 17:30:38 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Mike wrote:

> 10:04 $ strings /usr/bin/ssh | grep OpenSSH_3.4
> OpenSSH_3.4p1
> OpenSSH_3.4p1
> 10:04 $
> Looks like someone didn't update the version string.

That's because it's still OpenSSH 3.4p1 - the latest version. The 3.4p1-3
package (as opposed to the 3.4p1-1 package or whatever) is simply a
recompilation of the *same* OpenSSH code, using a later version of OpenSSL.
No version string update was needed!

>Gerald wrote:
>>Not quite, OpenSSH uses OpenSSL, when you fix OpenSSL you have
>>to recompile everything that uses it...

Paul wrote:
> Are you sure about that gerald?

Well, you'll have to recompile or obtain recompiled versions of anything
that statically binds (ie builds into itself, rather than using a shared
copy) to the problem software, in this case OpenSSL. The OpenSSH package a
lot of us are using was compiled using an affected version of OpenSSL. Other
things might not be. This happened when zlib problems came to light as so
many things has zlib built into themselves.

Cheers
Stephen

Prev by Date: Re: [cobalt-security] new openssl vulnerabilities
Next by Date: Re: [cobalt-security] OPENSSL vulnerability
Previous by thread: Re: [cobalt-security] new openssl vulnerabilities
Next by thread: RE: [cobalt-security] new openssl vulnerabilities

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index