What is affected by FreeBSD-SA-07:08.openssl ?
cperciva at freebsd.org
Thu Oct 4 08:09:42 PDT 2007
Alexandre Biancalana wrote:
> $ grep -lr SSL_get_shared_ciphers /usr/src 2> /dev/null
> Doesn't revel much about what is affected by this bug.... Have someone made
> some deeper analysis about what is affected ?
It doesn't look like anything in the base system uses this function, but I
just zgrepped my /usr/ports/distfiles and found that mysql uses this if it
is compiled with DBUG_OFF not defined. Assuming that you keep all of your
ports distfiles, you can run
$ zgrep -R SSL_get_shared_ciphers /usr/ports/distfiles
and any applications which use said function will probably show up.
But as for a deep analysis -- not that I'm aware of. We fixed this because
there might be an application which used this function in a way which made
this buffer overflow exploitable, not because we knew that such an application
FreeBSD Security Officer
More information about the freebsd-questions