Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Mar 2004 23:45:21 -0800
From:      Lev Walkin <vlm@netli.com>
To:        "Jacques A. Vidrine" <nectar@FreeBSD.org>
Cc:        "Andrew L. Neporada" <andr@dgap.mipt.ru>
Subject:   Re: latest openssl vulnerability
Message-ID:  <405AA511.6070805@netli.com>
In-Reply-To: <20040318203310.GA51002@madman.celabo.org>
References:  <20040318201727.GA14840@nas.dgap.mipt.ru> <20040318203310.GA51002@madman.celabo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine wrote:
> On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
> 
>>Is it true that (dynamic) binaries are vulnerable if and only if they are
>>linked with libssl.so.3, not with libcrypt or libcrypto?
> 
> 
> Yes, the bug is in libssl.


No, the libssl library might as well be compiled in statically into an
otherwise dynamic binary. So, if a dynamic binary is not linked with
libssl.so.*, it isn't a reliable indicator of a vulnerability.


-- 
Lev Walkin
vlm@netli.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?405AA511.6070805>