Leon Fauster writes:
Am 08.04.2014 um 23:08 schrieb Keith Keller kkeller@wombat.san-francisco.ca.us:
On 2014-04-08, Robert Arkiletian robark@gmail.com wrote:
if you include libcrypto in the grep then sshd is affected.
That's unfortunate. :( Is the bug in libssl, libcrypto, or both?
looking inside - its seems that this issue (cve-2014-0160) is resolved in ssl/d1_both.c and ssl/t1_lib.c and not in files under crypto/ ... to say more i have to take a look into the build process.
The OpenBSD note for the patch reads (http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch)
| Only SSL/TLS services are affected. Software that uses libcrypto alone | is not affected. In particular, ssh/sshd are not affected and there | is no need to regenerate SSH host keys that have not otherwise been | exposed.
The patched code is the same everywhere, ssl subdirectory only. Code in the crytpo subdirectory is not affected or patched.