<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 8, 2014 at 2:49 PM, Kastus Shchuka <span dir="ltr"><<a href="mailto:macports@tprfct.net" target="_blank">macports@tprfct.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
On Apr 8, 2014, at 11:31 AM, Niels Dettenbach wrote:<br>> But as far as i can read til now OpenSSH uses OpenSSL code not related to<br>
> TLS/SSL or the ASN.1 parser which is affected here - but yesterday and today<br>
> some distributors gave openssh updates in parallel regarding another security<br>
> hole in OpenSSH (i.e. Debian) including a new host key generation.<br><br>
</div>I am not sure what the problem with those distros is, but according to <a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch" target="_blank">http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch</a><br>
<br>
``Only SSL/TLS services are affected. Software that uses libcrypto alone<br>
is not affected. In particular, ssh/sshd are not affected and there<br>
is no need to regenerate SSH host keys that have not otherwise been<br>
exposed.''<br></blockquote><div><br></div><div>I don't know why the openssh issues would require a new key. One is related to AcceptEnv processing and the other to ssh fingerprints over DNS; as far as I can tell, the latter cannot compromise a host or user private key.</div>
</div><div><br></div>-- <br><div dir="ltr"><div>brandon s allbery kf8nh sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div>
<div>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div>
</div></div>