[xorcist]

It is very unlikely that this affects OpenSSH regardless. Only the cryptographic primitives are used from OpenSSL, and none of the complexity of the SSL functions. The cryptographic functions themselves are small and extremely well tested.

[fulafel]

OpenSSH (or commonly used variants thereof?) supports X.509 certificates, would they really reimplement that can of worms instead of using already linked libssl functions? Especially since on OpenSSH's home platform libssl is LibreSSL which they consider safer than OpenSSL.

Also, there already was one OpenSSL 3 crypto primitive caused vuln or at least security relevant bug in OpenSSH this year: https://thehackernews.com/2022/06/openssh-to-release-securit...

[fulafel]

Correcting myself: in the ssh-keygen manpage it says that the cert format is not X.509:

  Note that OpenSSH certificates are a different, and
       much simpler, format to the X.509 certificates used in ssl(8).

[s-macke]

I took ssh only as an example as curl has the same dependency.

But thanks to @Beltalowda it is obvious, that the lib64/openssl3 does not belong to openssl.