latest openssl vulnerability
Lev Walkin
vlm at netli.com
Fri Mar 19 01:18:30 PST 2004
Andrew L. Neporada wrote:
> On Thu, Mar 18, 2004 at 11:45:21PM -0800, Lev Walkin wrote:
>
>>Jacques A. Vidrine wrote:
>>
>>>On Thu, Mar 18, 2004 at 11:17:27PM +0300, Andrew L. Neporada wrote:
>>>
>>>
>>>>Is it true that (dynamic) binaries are vulnerable if and only if they are
>>>>linked with libssl.so.3, not with libcrypt or libcrypto?
>>>
>>>
>>>Yes, the bug is in libssl.
>>
>>
>>No, the libssl library might as well be compiled in statically into an
>>otherwise dynamic binary. So, if a dynamic binary is not linked with
>>libssl.so.*, it isn't a reliable indicator of a vulnerability.
>
>
> Hmm... But threre is no such dynamic libraries in FreeBSD 4.x, 5.x base
> install, right?
You mean, dynamically linked binaries with statically embedded OpenSSL?
Who knows ;) How can you check it, besides using (nm || strings) & grep?..
--
Lev Walkin
vlm at netli.com
More information about the freebsd-security
mailing list