Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?
From: Bram Matthys (Syzop) (syzop_at_vulnscan.org)
To: Honza Vlach <firstname.lastname@example.org> Date: Mon, 22 Mar 2004 17:06:38 +0100
Honza Vlach wrote:
> I have checked apache mod_ssl and php module, which are both dynamically
> linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I
> look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it
> was compiled against.
> Does this mean, that I'm still vulnerable, or it is just version
> hardcoded to the binary, while the library itself was sucessfully
The thing is that OPENSSL_VERSION_TEXT is used to display the
openssl version (AFAIK there's no alternative method):
php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT);
OPENSSL_VERSION_TEXT is defined in one of the openssl header files
(opensslv.h) and is a string constant, thus compiled in.
So if ldd shows it's using that lib (you could even lsof it at runtime
to be sure) then you should be ok.
Full-Disclosure - We believe in it.