[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: new openssl vulnerabilities
- Subject: Re: [cobalt-security] Re: new openssl vulnerabilities
- From: Matt Barton <matt@xxxxxxxxxx>
- Date: Tue, 30 Jul 2002 13:31:11 -0500 (EST)
- Organization: Webexcellence
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 30 Jul 2002, Chris Adams wrote:
> > Eh .... OpenSSL and OpenSSH are totally different things.
>
> Yes, but OpenSSH uses the OpenSSL libraries for the encryption routines.
I know. It seemed people were confusing OpenSSH and OpenSSL since the
letters are so similar.
> I'm not sure at this point if OpenSSH uses any of the vulnerable
> routines from the OpenSSL libraries (I'm pretty sure that it doesn't use
> some of them, but I don't know about the rest).
Hard to say. I don't know much about the internals of OpenSSH and OpenSSL
to know exactly what does what with what.
> However, starting with the RaQ3, Cobalt included the OpenSSL libraries
> as part of the RaQ and used OpenSSL to build Apache with SSL support.
> There were also both Cobalt and third-party SSL servers available for
> previous RaQs. All of those definately are vulnerable to the newly
> found holes, as well as some previous ones (the Apache SSL module also
> had some security holes found recently that have not been addressed on
> Cobalt products).
>
> Sun/Cobalt needs to release an update for every RaQ server that supports
> SSL with updated versions of the SSL module and the OpenSSL libraries.
Are we taking bets on how long that will take? :-)
- --
Matt Barton
Webexcellence
PH: 317.423.3548 x22
TF: 800.808.6332 x22
FX: 317.423.8735
matt@xxxxxxxxxx
www.webexc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9Rttx67cWHlKNnWkRAqOSAJwNlw7YV9nxrDryKayJO4D0ThOqhACdEfZ/
GlD9ydnHOMQgIYQMDdIogns=
=esJ1
-----END PGP SIGNATURE-----