From owner-freebsd-security@FreeBSD.ORG  Thu Mar 18 23:44:13 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AE0F416A4CE
	for <freebsd-security@freebsd.org>;
	Thu, 18 Mar 2004 23:44:13 -0800 (PST)
Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5FA0843D45
	for <freebsd-security@freebsd.org>;
	Thu, 18 Mar 2004 23:44:13 -0800 (PST)	(envelope-from vlm@netli.com)
Received: (qmail 16009 invoked by uid 84); 19 Mar 2004 07:44:12 -0000
Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan:
	v4.1.40/v4121. . Clean. Processed in 0.170438 secs); 19 Mar 2004 07:44:12
	-0000
Received: from unknown (HELO netli.com) (172.17.1.12)
  by mx01-pal-lan.netli.lan with SMTP; 19 Mar 2004 07:44:12 -0000
Message-ID: <405AA511.6070805@netli.com>
Date: Thu, 18 Mar 2004 23:45:21 -0800
From: Lev Walkin <vlm@netli.com>
Organization: Netli, Inc.
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307
X-Accept-Language: ru, en-us, en
MIME-Version: 1.0
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
References: <20040318201727.GA14840@nas.dgap.mipt.ru>
	<20040318203310.GA51002@madman.celabo.org>
In-Reply-To: <20040318203310.GA51002@madman.celabo.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-security@freebsd.org
cc: "Andrew L. Neporada" <andr@dgap.mipt.ru>
Subject: Re: latest openssl vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2004 07:44:13 -0000

Jacques A. Vidrine wrote:
> On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
> 
>>Is it true that (dynamic) binaries are vulnerable if and only if they are
>>linked with libssl.so.3, not with libcrypt or libcrypto?
> 
> 
> Yes, the bug is in libssl.


No, the libssl library might as well be compiled in statically into an
otherwise dynamic binary. So, if a dynamic binary is not linked with
libssl.so.*, it isn't a reliable indicator of a vulnerability.


-- 
Lev Walkin
vlm@netli.com