Vulnerability found in libssh/OpenSSH

[Mutzli]

Ars Technica just reported about a vulnerability that was discovered in libssh which affects servers, IoT devices etc.
https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access
Does this affect OpenSSH on the lastest Merlin firmware too?

 

[RMerlin]

Ars Technica just reported about a vulnerability that was discovered in libssh wich affects servers, IoT devices etc.
https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access
Does this affect OpenSSH on the lastest Merlin firmware too?

Asuswrt-Merlin does not use OpenSSH, but Dropbear.

 

[isomorphic]

I don't think this affects OpenSSH, but it's easy to be confused: Everyone seems to name their library "libssh" and in fact some code projects have shared heritage. In this case "libssh" is not referring to a part of OpenSSH. To be very clear, this does not affect OpenSSH, nor Dropbear.

What does it affect? Probably a few proprietary appliance-like things that have builtin ssh for SFTP or whatever.

 

[kvic]

OpenSSH tangos with OpenSSL libraries only.

 

[sfx2000]

Just libssh - OpenSSH client/server are not impacted...