Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Nilesh Govindrajan <me@××××××××.com>
To: Gentoo User Mailing List <gentoo-user@l.g.o>
Subject: Re: [gentoo-user] 'Heartbleed' bug
Date: Thu, 10 Apr 2014 10:52:38
Message-Id: CAHgBc-uX-Bxm9Gez5ZH-dPinFqnj6wzX10EA4LCUR+wjhwwBUQ@mail.gmail.com
In Reply to: Re: [gentoo-user] 'Heartbleed' bug by Matthew Finkel
1 On Thu, Apr 10, 2014 at 4:22 PM, Matthew Finkel
2 <matthew.finkel@×××××.com> wrote:
3 > On Thu, Apr 10, 2014 at 05:53:44PM +0800, J?n Zahornadsk? wrote:
4 >> On 04/10/2014 05:03 PM, Adam Carter wrote:
5 >> >
6 >> > What surprises me here is OpenSSH. It's not supposed to use OpenSSL
7 >> > but Debian update process suggests to restart it after updating
8 >> > OpenSSL to a fixed version. Is it an overkill on their part? It
9 >> > might confuse admins.
10 >> >
11 >> >
12 >> > adam@proxy ~ $ ldd /usr/sbin/sshd
13 >> > linux-vdso.so.1 (0x00007fffb068e000)
14 >> > libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f68db1e6000)
15 >> > libpam.so.0 => /lib64/libpam.so.0 (0x00007f68dafd8000)
16 >> > libcrypto.so.1.0.0 => /usr/lib64/libcrypto.so.1.0.0 (0x00007f68dabf5000)
17 >> > libutil.so.1 => /lib64/libutil.so.1 (0x00007f68da9f2000)
18 >> > libz.so.1 => /lib64/libz.so.1 (0x00007f68da7db000)
19 >> > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f68da5a4000)
20 >> > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f68da387000)
21 >> > libc.so.6 => /lib64/libc.so.6 (0x00007f68d9fd7000)
22 >> > libgcc_s.so.1 =>
23 >> > /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.2/libgcc_s.so.1 (0x00007f68d9dc0000)
24 >> > libdl.so.2 => /lib64/libdl.so.2 (0x00007f68d9bbc000)
25 >> > /lib64/ld-linux-x86-64.so.2 (0x00007f68db3f1000)
26 >> > adam@proxy ~ $ qfile /usr/lib64/libcrypto.so.1.0.0
27 >> > dev-libs/openssl (/usr/lib64/libcrypto.so.1.0.0)
28 >> > adam@proxy ~ $
29 >> >
30 >> > So OpenSSH clearly IS using OpenSSL, and you need to restart sshd after
31 >> > upgrading OpenSSL.
32 >>
33 >> As far as I know, it doesn't use it for the communication itself, just
34 >> some key generations, so it shouldn't be affected by this bug. But I
35 >> guess better safe than sorry...
36 >>
37 >
38 > Right. heartbleed does not directly affect openssh, but openssh uses
39 > openssl and it's good practice to keep the shared libraries on-disk and
40 > the shared libraries in-memory in sync.
41 >
42
43
44 How is OpenSSH not affected?

Replies

Subject Author
Re: [gentoo-user] 'Heartbleed' bug "Randolph Maaßen" <r.maassen60@×××××.com>
Report Message
Find on MARC Find on Google Groups