# New OpenSSL vulnerability

## rizzo

Although there isn't an emerge for the latest yet, get ready to upgrade your SSL package.  There is a vulnerability affecting 0.96d or earlier servers/clients.  Official notice is here.

----------

## snoopey

Just got ./-ed   :Confused: 

----------

## rizzo

Since the site does seem slashdotted, here is the text of the advisory:

 *Quote:*   

> OpenSSL Security Advisory [30 July 2002]
> 
> This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory.
> 
> Advisory 1
> ...

 

----------

## ph317

 *Quote:*   

> Let's follow this discussion in the thread pointed above by kanuslupus. The ful text of the mentioned advisory is posted there, and it's easier for anyone interested to follow one thread instead of two.

 

The difference is that there was dicussion in the other thread - would've been easier to copy the official announcement to the thread with useful content.

----------

## rizzo

Uhh ... I wasn't aware we had some kind of competition going.  Nor did I realize there was another thread.  Either way I couldn't care less.  Just trying to spread the word.

----------

## Xor

[quote]However, everything that uses OpenSSL will have to be recompiled for the changes to take effect. Does Gentoo take care of that for me? Will it know what uses OpenSSL and recompile it when I upgrade? [/quote]

well, I am not a ueber-master in thoses compile-stuff, but as far as I know/guess is that you can link openssl "dynamical" or compile it in "static"

as mentioned, if it's dynamically linked you have just to upgrade... if it's static you have to recompile - AFAIK gentoo is not yet able to recompile stuff in "reverse-dependency" mode.... but there is a nice script in tips'n'tricks.... which does a nice job.... check the one out.... 

example list:

[list]

./pkg-depend.sh openssl

x11-libs/rep-gtk-0.16

x11-misc/xscreensaver-4.05-r3

x11-terms/gnome-terminal-2.0.0-r1

app-admin/aide-0.8

gnome-base/gdm-2.4.0.4

gnome-base/gnome-vfs-2.0.1

gnome-base/gnome-vfs-1.0.5-r2

gnome-base/bonobo-activation-1.0.3

gnome-base/gconf-1.2.0-r4

gnome-base/eel-2.0.0-r1

gnome-base/control-center-1.4.0.5-r1

gnome-base/libbonobo-2.0.0

gnome-base/gnome-applets-2.0.1

gnome-base/libgnome-2.0.1-r1

gnome-base/libbonoboui-2.0.0

gnome-base/gnome-desktop-2.0.3

gnome-base/libgnomeprintui-1.115.0

gnome-base/ORBit2-2.4.0-r3

gnome-base/gnome-2.0.0-r2

gnome-base/gnome-session-2.0.2

gnome-base/control-center-2.0.0

gnome-base/libgnomeprint-1.115.0-r2

gnome-base/libgnomeui-2.0.1

gnome-base/gnome-panel-2.0.2-r1

gnome-base/gnome-panel-1.4.1

app-text/jadetex-3.12

app-text/tetex-1.0.7-r10

media-gfx/eog-1.0.1-r2

net-nds/openldap-2.0.25-r1

net-www/lynx-2.8.4a-r4

net-www/galeon-1.2.5

sys-apps/vcron-3.0.1-r1

net-libs/libwww-5.4.0

net-libs/linc-0.5.1

net-mail/mutt-1.4-r2

net-mail/procmail-3.22-r2

net-mail/postfix-1.1.11.20020613

net-misc/openssh-3.4_p1-r3

net-misc/wget-1.8.2

net-news/slrn-0.9.7.4

app-office/gnumeric-1.0.8

app-office/abiword-1.0.2

x11-wm/sawfish-2.0

x11-wm/metacity-2.3.987-r2

dev-libs/libgcrypt-1.1.3

dev-libs/openssl-0.9.6d-r1

dev-libs/cyrus-sasl-2.1.6

app-editors/gedit-2.0.1-r1

gnome-extra/gal-0.19.2-r1

gnome-extra/gnome-games-2.0.1-r1

gnome-extra/gconf-editor-0.2

gnome-extra/gnome-system-monitor-2.0.0-r1

gnome-extra/libgtkhtml-2.0.0-r1

gnome-extra/bug-buddy-2.2.0

gnome-extra/yelp-1.0.1

gnome-extra/gnome-utils-2.0.1

gnome-extra/gnome-media-2.0.0

net-analyzer/ethereal-0.9.5-r2

net-analyzer/snort-1.8.7

net-analyzer/tcpdump-3.7.1[/list]

don't get confused... I don't have an apache installed  :Smile:  also there are quite alot of packages which seem to not be _really_ scared by the vul (like abiword?)

cu

xor

----------

## Xor

yeah yeah.... it's seems I just to dump to use those "Quote" and "List" buttons.... or are they not debian compatible?  :Wink: 

----------

## ergin

its a bit confusing for me. I have emerged mod_php and apache using ssl in SET variable. Need to recompile mod_php and apache? I always thought ssl is not compiled as module when I have ssl in SET, so need to recompile every package using openssl. thanks

----------

## rac

 *ergin wrote:*   

> I have emerged mod_php and apache using ssl in SET variable. Need to recompile mod_php and apache? I always thought ssl is not compiled as module when I have ssl in SET, so need to recompile every package using openssl.

 

Yes, I suspect you have to recompile apache.  You can check one of two ways: use ldd to see if you are linking to the openssl libraries dynamically.  if so, no need to recompile

look in /var/log/apache/error.log on apache startup to see what version of  openssl it thinks it is using

----------

## mksoft

Depends if it is linked static or dynamic. I don't thing you'll need to recompile apache ,as it doesn't use ssl directly (just provides they EAPI for mod_ssl if ssl is in USE flags).

ldd'ing on php shows that it is linked dynamically to libssl so it should not be a problem. This is the whole idea of shared libraries, you need to upgrade only the library itself. Any other dynamically linked program would pick up the changes after the update (usually through a symlink which points now to the new lib instead of the old one).

Anyway, if you want to see list the packages depending on openssl:

```
qpkg -q openssl
```

----------

## ergin

Im not sure if its no need to recompile apache and php. 

I first emerged openssl-0.9.6e. Then unmergerd openssl-0.9.6d. Going into openssl session the version command said it is 0.9.6e. I rebooted but in /var/log/apache/error.log apache was thinking he is using 0.9.6d.  The phpinfo command (makes automatic a webpage with all info about system,apache,php,databases, etc) said php was compiled using the flag --openssl and the version using was 0.9.6d. So I decided to recompile php. after the compilation phpinfo was showing the new version of openssl.  But till now error.log of apache say its using the old version of openssl. This is why Im confused more than at the begining. 

My situation: 

emerge says the only version installed on my box is 0.6.9e. SSL over web is working well, php says its compiled with openssl-0.9.6e und using it, apache things he is using 0.9.6d in spite of the fact that it was compiled with 0.9.6e. Maybe I should forget it because its a bug of apache?

----------

## mksoft

I think they are reporting they version of openssl they were compiled against, not necessarilly the version they're using now (could be wrong though, so don't shoot the messanger).

----------

## ph317

I'm pretty sure Apache is reporting the version compiled against, not the actual runtime version.  I checked the source code for mod_ssl, and it appears to take it from the OpenSSL headers at compile-time.

----------

