[CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Lars Hecking
lhecking at users.sourceforge.net
Tue Apr 8 22:55:25 UTC 2014
Leon Fauster writes:
> Am 08.04.2014 um 23:08 schrieb Keith Keller <kkeller at wombat.san-francisco.ca.us>:
> > On 2014-04-08, Robert Arkiletian <robark at gmail.com> wrote:
> >>
> >> if you include libcrypto in the grep then sshd is affected.
> >
> > That's unfortunate. :( Is the bug in libssl, libcrypto, or both?
>
>
> looking inside - its seems that this issue (cve-2014-0160) is resolved
> in ssl/d1_both.c and ssl/t1_lib.c and not in files under crypto/ ...
> to say more i have to take a look into the build process.
The OpenBSD note for the patch reads
(http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch)
| Only SSL/TLS services are affected. Software that uses libcrypto alone
| is not affected. In particular, ssh/sshd are not affected and there
| is no need to regenerate SSH host keys that have not otherwise been
| exposed.
The patched code is the same everywhere, ssl subdirectory only. Code in
the crytpo subdirectory is not affected or patched.
More information about the CentOS
mailing list