[ale] openssl related software question

Jonathan Rickman jonathan at xcorps.net
Tue Jul 30 22:54:38 EDT 2002


On 30 Jul 2002, James P. Kinney III wrote:

> Hey Jenn (et al.),
>
> Be aware that I just did an ldd on MY redhat 7.3 box that is current up
> to yesterday. My libcrypto was packaged in openssl (rpm -q
> --whatprovides libcrypto returned openssl-0.9.6b-18 (I smell an upgrade
> here, too)).

The advisory at http://www.openssl.org/news/secadv_20020730.txt states...

"Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile
all applications using OpenSSL. Users of 0.9.7 pre-release versions should
apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all
applications using OpenSSL."

At least one vendor has mentioned that all statically linked programs will
need to be built against the new versions. I suppose the only real way to
have any sense of confidence about the whole issue and similar issues is
to build EVERYTHING from source so that you know that you know that you
know how your apps are built. Yet another reason for all you package
junkies to GET SLACK!!! ;-)

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list