Re: latest openssl vulnerability

From: Lev Walkin (vlm_at_netli.com)
Date: 03/19/04

  • Next message: Benjamin von Mossner: "auth.log messages"
    Date: Fri, 19 Mar 2004 01:19:38 -0800
    To: "Andrew L. Neporada" <andr@dgap.mipt.ru>
    
    

    Andrew L. Neporada wrote:
    > On Thu, Mar 18, 2004 at 11:45:21PM -0800, Lev Walkin wrote:
    >
    >>Jacques A. Vidrine wrote:
    >>
    >>>On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
    >>>
    >>>
    >>>>Is it true that (dynamic) binaries are vulnerable if and only if they are
    >>>>linked with libssl.so.3, not with libcrypt or libcrypto?
    >>>
    >>>
    >>>Yes, the bug is in libssl.
    >>
    >>
    >>No, the libssl library might as well be compiled in statically into an
    >>otherwise dynamic binary. So, if a dynamic binary is not linked with
    >>libssl.so.*, it isn't a reliable indicator of a vulnerability.
    >
    >
    > Hmm... But threre is no such dynamic libraries in FreeBSD 4.x, 5.x base
    > install, right?

    You mean, dynamically linked binaries with statically embedded OpenSSL?
    Who knows ;) How can you check it, besides using (nm || strings) & grep?..

    -- 
    Lev Walkin
    vlm@netli.com
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Benjamin von Mossner: "auth.log messages"