Date: Thu, 10 Apr 2014 10:15:28 +0000 From: Cyrus Lopez <clopez@softlayer.com> To: Carlo Strub <cs@FreeBSD.org>, "mexas@bris.ac.uk" <mexas@bris.ac.uk> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl Message-ID: <DE1D9BD7-2858-49BD-BDE8-C4CE7FE7351B@softlayer.com> In-Reply-To: <1397124609.974780.949873937.113568.2@c-st.net> References: <20140409084809.GA2661@lena.kiev> <201404082334.s38NYDxr098590@freefall.freebsd.org> <201404090821.s398LMg7020616@mech-cluster241.men.bris.ac.uk> <1397124609.974780.949873937.113568.2@c-st.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>=20 >> SSH is not affected. >>=20 >=20 > SSH is indeed not affected, but I guess you should still consider the sec= ret sshd key on your otherwise affected server as burnt, as it might have b= een in the memory too while an attacker was inspecting it via heartbleed. B= etter recreate the secret ssh key and all other secret keys on your server = as well. But, again, the OpenSSH protocol/software per se are not affected. This is incorrect. The heartbleed exploit would have only returned portions= of memory that were under the control of OpenSSL, not general memory used = by other processes on the system.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DE1D9BD7-2858-49BD-BDE8-C4CE7FE7351B>