Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Carlos P <charly_en_el_trabajo () yahoo com>
Date: Fri, 11 Apr 2014 10:56:50 -0700 (PDT)
As a general rule of thumb for this vulnerability, any binary/service
dynamically linked to libssl.so should be considered compromised. and you have to add what is statically linked and keep track of every php/ruby/python/whatever scripts, don't you? El día jueves, 10 de abril de 2014 15:44, Brandon Vincent (Student) <Brandon.Vincent () asu edu> escribió: Partly true. OpenSSH does utilize the libraries of OpenSSL for cryptographic purposes (ldd will reveal the presence of libcrypto.so), but this is for generating and utilizing asymmetric keys. CVE-2014-0160 impacts the heartbeat extension of TLS and since the SSH protocol does not use SSL/TLS, you should be fine. As a general rule of thumb for this vulnerability, any binary/service dynamically linked to libssl.so should be considered compromised. Brandon Vincent -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of Walt Williams Sent: Wednesday, April 09, 2014 6:24 PM To: Rob van der Putten Cc: fulldisclosure () seclists org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 SSH does not usually use OpenSSL libraries, so no. Walt Williams sent from my iPhone Typos likely
On Apr 9, 2014, at 3:57, Rob van der Putten <rob () sput nl> wrote: Hi there Tim Schütt wrote:Nope, works also on other protocols like IMAPS.I generated new keys for Apache, Asterisk, Exim and Imap and restarted these services. So how about SSH? Do I need to generate new keys for SSH as well? Regards, Rob _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Fraser Scott (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Tim Schütt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Rob van der Putten (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Walt Williams (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Vincent (Student) (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ken Connelly (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 11)