Date: Fri, 19 Mar 2004 01:19:38 -0800 From: Lev Walkin <vlm@netli.com> To: "Andrew L. Neporada" <andr@dgap.mipt.ru> Cc: freebsd-security@freebsd.org Subject: Re: latest openssl vulnerability Message-ID: <405ABB2A.8010209@netli.com> In-Reply-To: <20040319085153.GA17005@nas.dgap.mipt.ru> References: <20040318201727.GA14840@nas.dgap.mipt.ru> <20040318203310.GA51002@madman.celabo.org> <405AA511.6070805@netli.com> <20040319085153.GA17005@nas.dgap.mipt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew L. Neporada wrote: > On Thu, Mar 18, 2004 at 11:45:21PM -0800, Lev Walkin wrote: > >>Jacques A. Vidrine wrote: >> >>>On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote: >>> >>> >>>>Is it true that (dynamic) binaries are vulnerable if and only if they are >>>>linked with libssl.so.3, not with libcrypt or libcrypto? >>> >>> >>>Yes, the bug is in libssl. >> >> >>No, the libssl library might as well be compiled in statically into an >>otherwise dynamic binary. So, if a dynamic binary is not linked with >>libssl.so.*, it isn't a reliable indicator of a vulnerability. > > > Hmm... But threre is no such dynamic libraries in FreeBSD 4.x, 5.x base > install, right? You mean, dynamically linked binaries with statically embedded OpenSSL? Who knows ;) How can you check it, besides using (nm || strings) & grep?.. -- Lev Walkin vlm@netli.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?405ABB2A.8010209>