Re: latest openssl vulnerability

From: Lev Walkin (vlm_at_netli.com)
Date: 03/19/04

  • Next message: Andrew L. Neporada: "Re: latest openssl vulnerability" 
    Date: Thu, 18 Mar 2004 23:45:21 -0800
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>

    Jacques A. Vidrine wrote:
    > On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
    >
    >>Is it true that (dynamic) binaries are vulnerable if and only if they are
    >>linked with libssl.so.3, not with libcrypt or libcrypto?
    >
    >
    > Yes, the bug is in libssl.

    No, the libssl library might as well be compiled in statically into an
    otherwise dynamic binary. So, if a dynamic binary is not linked with
    libssl.so.*, it isn't a reliable indicator of a vulnerability. 

    -- 
Lev Walkin
vlm@netli.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Andrew L. Neporada: "Re: latest openssl vulnerability"

    Relevant Pages

    • [NEWS] Multiple IBM DB2 Stack Overflow Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... DB2 is IBM's relational database software, ... IBM's DB2 database ships with two vulnerable setuid binaries, ... The vulnerability is triggered ...
      (Securiteam)
    • Re: latest openssl vulnerability
      ... > Is it true that binaries are vulnerable if and only if they are ... not with libcrypt or libcrypto? ... the bug is in libssl. ... To unsubscribe, ...
      (FreeBSD-Security)