[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] new openssl vulnerabilities

Subject: Re: [cobalt-security] new openssl vulnerabilities
From: Eugene Crosser <crosser@xxxxxxxxxxx>
Date: 02 Aug 2002 13:04:39 +0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Fri, 2002-08-02 at 01:52, davidblack wrote:
> "Eugene Crosser" <crosser@xxxxxxxxxxx> wrote ..
> > > > > How can I tell - which applications are running openssl shared
> > libraries?
> > > >
> > > > If you don't know about them, the chances are that you don't have any.
> > > > If you did not install openssl from rpm or from the source, you
> > definitely
> >       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > don't have any.
> >       ^^^^^^^^^^^^^^^
> > > >
> > > > If you, for example, compiled stunnel or SSL IMAPd, you might have
> > > > made then dynamically linked.
> > >
> > >
> > > Thanks for the reply.
> > > I installed OpenSSH from PkgMaster.com, but I can't recall
> > > which other apps I might have installed, from RPM or source.
> > > Is there any way to tell, if anything is using the shared libs?
> > 
> > See above.  If you are still not sure, look if you have openssl shared
> > libs
> > at all.  If you don't, then there cannot be applications dynamically linked
> > against them 8-O  Run "locate libssl" and see if there is any output.
> > 
> > Eugene
> 
> 
> Apparently, I do have the shared libs. Now what?
> 
> [root /root]# locate libssl
> /lib/libssl.so.0.9.6b
> /lib/libssl.so.2
> /usr/lib/apache/libssl.so
> /usr/local/ssl/lib/libssl.a
> /usr/local/openssl-0.9.6b/libssl.a
> [root /root]#

The fact that you have /usr/local/openssl-0.9.6b directory suggests that
you compiled the thing from source.  Grab 0.9.6e, build and install it. 
Since it was not installed from rpm, there is no way to find which
programs may use it other than recall which ones you compiled yourself. 
Check if any of them are statically linked against openssl, and rebuild.

Just for case, check if you installed openssl from rpm, run this
command:

rpm -qa|grep openssl

If the only thing you see is "apache-openssl-1.3.20-RaQ4_1C3" then you
did not.  If you see something like this:

openssl-perl-0.9.6b-XX
openssl-0.9.6b-XX
openssl-devel-0.9.6b-XX

then you did.  It is my undestanding that the vulnerability was fixed in
the version with 'XX' = '24'.  Grab and install appropriate rpms.

Eugene

References:
- Re: [cobalt-security] new openssl vulnerabilities
  - From: davidblack

Prev by Date: Re: [cobalt-security] [Fwd: openssh-3.4p1.tar.gz trojaned]
Next by Date: Re: [cobalt-security] new openssl vulnerabilities
Previous by thread: Re: [cobalt-security] new openssl vulnerabilities
Next by thread: Re: [cobalt-security] new openssl vulnerabilities

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index