Re: Did RedHat's OpenSSL patch miss Apache?
From: Jacob Robert Wilkins (jrw_at_nplus1.net)
Date: Mon, 10 May 2004 13:19:00 -0400 To: gf gf <firstname.lastname@example.org>
On Sun, May 09, 2004 at 08:13:21PM -0700, gf gf wrote:
> A while ago, RedHat issued
> concerning security issues with OpenSSL.
> It seems to me that Apache uses its own copy of
> libssl, which is not part of the openssl RPM and hence
> not updated by the RedHat RPM update. (And is still
> $ rpm -q -f /usr/lib/apache/libssl.so
No problem here, /usr/lib/apache/libssl.so is actually just the apache
module for mod_ssl. It would seem to be poorly named, but it should not
be confused with the OpenSSL library.
Note that /usr/lib/apache/libssl.so is linked against OpenSSL's libssl.
[jrw@thorin jrw]$ ldd /usr/lib/apache/libssl.so
libssl.so.2 => /lib/libssl.so.2 (0x2aae4000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x2ab12000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libdl.so.2 => /lib/libdl.so.2 (0x2abd6000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x55555000)