Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Leon Fauster writes:
> Am 08.04.2014 um 23:08 schrieb Keith Keller <kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx>:
> > On 2014-04-08, Robert Arkiletian <robark@xxxxxxxxx> wrote:
> >> 
> >> if you include libcrypto in the grep then sshd is affected.
> > 
> > That's unfortunate.  :(  Is the bug in libssl, libcrypto, or both?
> 
> 
> looking inside - its seems that this issue (cve-2014-0160) is resolved
> in ssl/d1_both.c and ssl/t1_lib.c and not in files under crypto/ ... 
> to say more i have to take a look into the build process.

 The OpenBSD note for the patch reads
 (http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch)

| Only SSL/TLS services are affected.  Software that uses libcrypto alone
| is not affected.  In particular, ssh/sshd are not affected and there
| is no need to regenerate SSH host keys that have not otherwise been
| exposed.

 The patched code is the same everywhere, ssl subdirectory only. Code in
 the crytpo subdirectory is not affected or patched.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux