Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

Fri, 11 Apr 2014 14:38:33 -0700 

>> As a general rule of thumb for this vulnerability, any binary/service 
dynamically linked to libssl.so should be considered compromised.


and you have to add what is statically linked and keep track of every 
php/ruby/python/whatever scripts, don't you?



El día jueves, 10 de abril de 2014 15:44, Brandon Vincent (Student) 
<brandon.vinc...@asu.edu> escribió:
 
Partly true.

OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd 
will reveal the presence of libcrypto.so), but this is for generating and 
utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension of TLS 
and since the SSH protocol does not use SSL/TLS, you should be fine.

As a general rule of thumb for this vulnerability, any binary/service 
dynamically linked to libssl.so should be considered compromised.

Brandon Vincent

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Walt Williams
Sent: Wednesday, April 09, 2014 6:24 PM
To: Rob van der Putten
Cc: fulldisclosure@seclists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

SSH does not usually use OpenSSL libraries, so no.

Walt Williams
sent from my iPhone
Typos likely

> On Apr 9, 2014, at 3:57, Rob van der Putten <r...@sput.nl> wrote:
> 
> Hi there
> 
> 
> Tim Schütt wrote:
> 
>> Nope, works also on other protocols like IMAPS.
> 
> I generated new keys for Apache, Asterisk, Exim and Imap and restarted these 
> services.
> So how about SSH? Do I need to generate new keys for SSH as well?
> 
> 
> Regards,
> Rob
> 
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to