From owner-freebsd-security@FreeBSD.ORG Fri Mar 19 01:18:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB44A16A4CE for ; Fri, 19 Mar 2004 01:18:29 -0800 (PST) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB8B843D39 for ; Fri, 19 Mar 2004 01:18:29 -0800 (PST) (envelope-from vlm@netli.com) Received: (qmail 21327 invoked by uid 84); 19 Mar 2004 09:18:29 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.16834 secs); 19 Mar 2004 09:18:29 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 19 Mar 2004 09:18:29 -0000 Message-ID: <405ABB2A.8010209@netli.com> Date: Fri, 19 Mar 2004 01:19:38 -0800 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040307 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: "Andrew L. Neporada" References: <20040318201727.GA14840@nas.dgap.mipt.ru> <20040318203310.GA51002@madman.celabo.org> <405AA511.6070805@netli.com> <20040319085153.GA17005@nas.dgap.mipt.ru> In-Reply-To: <20040319085153.GA17005@nas.dgap.mipt.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: latest openssl vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2004 09:18:30 -0000 Andrew L. Neporada wrote: > On Thu, Mar 18, 2004 at 11:45:21PM -0800, Lev Walkin wrote: > >>Jacques A. Vidrine wrote: >> >>>On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote: >>> >>> >>>>Is it true that (dynamic) binaries are vulnerable if and only if they are >>>>linked with libssl.so.3, not with libcrypt or libcrypto? >>> >>> >>>Yes, the bug is in libssl. >> >> >>No, the libssl library might as well be compiled in statically into an >>otherwise dynamic binary. So, if a dynamic binary is not linked with >>libssl.so.*, it isn't a reliable indicator of a vulnerability. > > > Hmm... But threre is no such dynamic libraries in FreeBSD 4.x, 5.x base > install, right? You mean, dynamically linked binaries with statically embedded OpenSSL? Who knows ;) How can you check it, besides using (nm || strings) & grep?.. -- Lev Walkin vlm@netli.com