0

I read the What is the difference between SSL vs SSH? Which is more secure? , and it mentions there is the possibility they can be affected by similar attacks. Now that the heartbleed thing is out, is the ssh used in python through Paramiko affected by this?

1 Answers1

2

The Hearbleed security bug (CVE-2014-0160) affects only specific versions of OpenSSL, and nothing else.

From OpenSSL Security Advisory [07 Apr 2014], on OpenSSL's web site:

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

So, to answer your question: It depends on whether OpenSSL is used on your system, and which version is currently installed.

If you notice your system is vulnerable, the recommendation is to:

  1. Patch the OpenSSL component as soon as possible;
  2. Renew the X.509 certificate that's used by OpenSSL;
  3. Change (or enforce changing) the passwords of all accounts on the system.

To mitigate the risks associated with the Heartbleed bug, all of the above steps are necessary, and must be executed in the correct order.

Steven Volckaert
  • 1,193
  • 8
  • 15