[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

To: "Brandon Vincent \(Student\)" <Brandon.Vincent@xxxxxxx>
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
From: Carlos P <charly_en_el_trabajo@xxxxxxxxx>
Date: Fri, 11 Apr 2014 10:56:50 -0700 (PDT)

>> As a general rule of thumb for this vulnerability, any binary/service 
dynamically linked to libssl.so should be considered compromised.

and you have to add what is statically linked and keep track of every 
php/ruby/python/whatever scripts, don't you?

El día jueves, 10 de abril de 2014 15:44, Brandon Vincent (Student) 
<Brandon.Vincent@xxxxxxx> escribió:

Partly true.

OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd 
will reveal the presence of libcrypto.so), but this is for generating and 
utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension of TLS 
and since the SSH protocol does not use SSL/TLS, you should be fine.

As a general rule of thumb for this vulnerability, any binary/service 
dynamically linked to libssl.so should be considered compromised.

Brandon Vincent

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx] On Behalf Of 
Walt Williams
Sent: Wednesday, April 09, 2014 6:24 PM
To: Rob van der Putten
Cc: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

SSH does not usually use OpenSSL libraries, so no.

Walt Williams
sent from my iPhone
Typos likely

> On Apr 9, 2014, at 3:57, Rob van der Putten <rob@xxxxxxx> wrote:
> 
> Hi there
> 
> 
> Tim Schütt wrote:
> 
>> Nope, works also on other protocols like IMAPS.
> 
> I generated new keys for Apache, Asterisk, Exim and Imap and restarted these 
> services.
> So how about SSH? Do I need to generate new keys for SSH as well?
> 
> 
> Regards,
> Rob
> 
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Kirils Solovjovs
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Fraser Scott
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Nik Mitev
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Chris Schmidt
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Tim Schütt
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Rob van der Putten
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Walt Williams
- Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
  - From: Brandon Vincent (Student)

Prev by Date: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Next by Date: [FD] Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150
Previous by thread: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Next by thread: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
Index(es):
- Date
- Thread