Re: latest openssl vulnerability
From: Lev Walkin (vlm_at_netli.com)
Date: Fri, 19 Mar 2004 01:19:38 -0800 To: "Andrew L. Neporada" <firstname.lastname@example.org>
Andrew L. Neporada wrote:
> On Thu, Mar 18, 2004 at 11:45:21PM -0800, Lev Walkin wrote:
>>Jacques A. Vidrine wrote:
>>>On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
>>>>Is it true that (dynamic) binaries are vulnerable if and only if they are
>>>>linked with libssl.so.3, not with libcrypt or libcrypto?
>>>Yes, the bug is in libssl.
>>No, the libssl library might as well be compiled in statically into an
>>otherwise dynamic binary. So, if a dynamic binary is not linked with
>>libssl.so.*, it isn't a reliable indicator of a vulnerability.
> Hmm... But threre is no such dynamic libraries in FreeBSD 4.x, 5.x base
> install, right?
You mean, dynamically linked binaries with statically embedded OpenSSL?
Who knows ;) How can you check it, besides using (nm || strings) & grep?..
-- Lev Walkin email@example.com _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "email@example.com"