1 |
The Heartbleed bug is in the Heartbeat function of TSL (a second keep |
2 |
alive). OpenSSL does not use TLS for transport security, it uses its |
3 |
own Protokoll for security. |
4 |
|
5 |
2014-04-10 12:51 GMT+02:00 Nilesh Govindrajan <me@××××××××.com>: |
6 |
> On Thu, Apr 10, 2014 at 4:22 PM, Matthew Finkel |
7 |
> <matthew.finkel@×××××.com> wrote: |
8 |
>> On Thu, Apr 10, 2014 at 05:53:44PM +0800, J?n Zahornadsk? wrote: |
9 |
>>> On 04/10/2014 05:03 PM, Adam Carter wrote: |
10 |
>>> > |
11 |
>>> > What surprises me here is OpenSSH. It's not supposed to use OpenSSL |
12 |
>>> > but Debian update process suggests to restart it after updating |
13 |
>>> > OpenSSL to a fixed version. Is it an overkill on their part? It |
14 |
>>> > might confuse admins. |
15 |
>>> > |
16 |
>>> > |
17 |
>>> > adam@proxy ~ $ ldd /usr/sbin/sshd |
18 |
>>> > linux-vdso.so.1 (0x00007fffb068e000) |
19 |
>>> > libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f68db1e6000) |
20 |
>>> > libpam.so.0 => /lib64/libpam.so.0 (0x00007f68dafd8000) |
21 |
>>> > libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f68dabf5000) |
22 |
>>> > libutil.so.1 => /lib64/libutil.so.1 (0x00007f68da9f2000) |
23 |
>>> > libz.so.1 => /lib64/libz.so.1 (0x00007f68da7db000) |
24 |
>>> > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f68da5a4000) |
25 |
>>> > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f68da387000) |
26 |
>>> > libc.so.6 => /lib64/libc.so.6 (0x00007f68d9fd7000) |
27 |
>>> > libgcc_s.so.1 => |
28 |
>>> > /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1 (0x00007f68d9dc0000) |
29 |
>>> > libdl.so.2 => /lib64/libdl.so.2 (0x00007f68d9bbc000) |
30 |
>>> > /lib64/ld-linux-x86-64.so.2 (0x00007f68db3f1000) |
31 |
>>> > adam@proxy ~ $ qfile /usr/lib64/libcrypto.so.1.0.0 |
32 |
>>> > dev-libs/openssl (/usr/lib64/libcrypto.so.1.0.0) |
33 |
>>> > adam@proxy ~ $ |
34 |
>>> > |
35 |
>>> > So OpenSSH clearly IS using OpenSSL, and you need to restart sshd after |
36 |
>>> > upgrading OpenSSL. |
37 |
>>> |
38 |
>>> As far as I know, it doesn't use it for the communication itself, just |
39 |
>>> some key generations, so it shouldn't be affected by this bug. But I |
40 |
>>> guess better safe than sorry... |
41 |
>>> |
42 |
>> |
43 |
>> Right. heartbleed does not directly affect openssh, but openssh uses |
44 |
>> openssl and it's good practice to keep the shared libraries on-disk and |
45 |
>> the shared libraries in-memory in sync. |
46 |
>> |
47 |
> |
48 |
> |
49 |
> How is OpenSSH not affected? |
50 |
> |
51 |
|
52 |
|
53 |
|
54 |
-- |
55 |
Mit freundlichen Grüßen / Best regards |
56 |
|
57 |
Randolph Maaßen |