Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?
From: Bram Matthys (Syzop) (syzop_at_vulnscan.org)
Date: 03/22/04
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?"
- In reply to: Honza Vlach: "[Full-Disclosure] OpenSSL - dynamically linked binaries?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Honza Vlach <janus@volny.cz> Date: Mon, 22 Mar 2004 17:06:38 +0100
Honza Vlach wrote:
> I have checked apache mod_ssl and php module, which are both dynamically
> linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I
> look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it
> was compiled against.
>
> Does this mean, that I'm still vulnerable, or it is just version
> hardcoded to the binary, while the library itself was sucessfully
> reloaded?
The latter...
The thing is that OPENSSL_VERSION_TEXT is used to display the
openssl version (AFAIK there's no alternative method):
php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT);
OPENSSL_VERSION_TEXT is defined in one of the openssl header files
(opensslv.h) and is a string constant, thus compiled in.
So if ldd shows it's using that lib (you could even lsof it at runtime
to be sure) then you should be ok.
Bram Matthys.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?"
- In reply to: Honza Vlach: "[Full-Disclosure] OpenSSL - dynamically linked binaries?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
