| View previous topic :: View next topic |
| Author |
Message |
ph317
n00b
Joined: 02 Jun 2002
Posts: 43
|
 Posted: Tue Jul 30, 2002 2:20 pm Post subject: OpenSSL advisory and Gentoo |
 |
|
There's an advisory I saw this morning for OpenSSL. The gist of it is that if you're running the common setup of using mod_ssl against openssl 0.9.6d on an x86, and you allow the SSLv2 protocol, you're exploitable (but no exploit code seen the wild yet). The two quick fixes appear to be to disable SSLv2 (force users to use v3 or nothing), or to upgrade openssl to 0.9.6e. I can't disable v2 in the middle of the today for fear of breaking existing customers, so I'd like to quietly upgrade openssl to 0.9.6e - I noticed we already have an ebuild for it (and that Gentoo's default mod_ssl setup is dynamically linked to openssl, so a restart should get the new library in use), but it's masked because it's not sure to be good yet...
Has anyone taken the plunge and upgrade to 0.9.6e yet? Did it break anything for your apache/mod_ssl? |
|
| Back to top |
|
 |
taveren
Tux's lil' helper
Joined: 24 Jul 2002
Posts: 145
Location: London, Ontario
|
| Posted: Tue Jul 30, 2002 3:11 pm Post subject: Followup question |
|
|
I've been annoyed recently by having to upgrade my slackware machines all the time via the source, which is becoming more and more of a pain. My next choice is Gentoo (and I've started playing around with it on another drive). My question, with regards to this OpenSSL vulnerability topic, is "How quickly does Gentoo deal with security issues such as this?" I see there are new ebuilds for OpenSSL already, and that is great. However, everything that uses OpenSSL will have to be recompiled for the changes to take effect. Does Gentoo take care of that for me? Will it know what uses OpenSSL and recompile it when I upgrade?
Certainly this isn't really going to affect my decision greatly (well, getting quick updates will), but it would be very, very nice if it does. |
|
| Back to top |
|
|
taveren
Tux's lil' helper
Joined: 24 Jul 2002
Posts: 145
Location: London, Ontario
|
| Posted: Tue Jul 30, 2002 3:33 pm Post subject: Answered my own question. |
|
|
Just received the Bugtraq post about Gentoo's security announcement, with the instructions on how to upgrade openssl, and how to fix up the statically linked applications.
Good work. Soon as I get a working system and understand everything I need, Gentoo will be replacing my slackware desktop and laptop. (possibly servers as well). |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Tue Jul 30, 2002 4:20 pm Post subject: |
|
|
Mentioned in this thread first.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
ph317
n00b
Joined: 02 Jun 2002
Posts: 43
|
| Posted: Tue Jul 30, 2002 6:02 pm Post subject: |
|
|
I double-checked with "ldd", and if you're using the standard Gentoo ebuild of apache+mod_ssl, the openssl library is dynamically linked to mod_ssl. Therefore I would think that you don't need to recompile the dependants (unless there's some interface change in a header file which is critical).
BTW, 0.9.6e was unmasked sometime during the day today after my initial post, so "emerge rsync;emerge -u openssl" should fix you. |
|
| Back to top |
|
|
fghellar
Bodhisattva
Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR
|
| Posted: Tue Jul 30, 2002 6:26 pm Post subject: |
|
|
Let's follow this discussion in the thread pointed above by kanuslupus. The ful text of the mentioned advisory is posted there, and it's easier for anyone interested to follow one thread instead of two.
_________________
| www.gentoo.org | www.tldp.org | www.google.com | |
|
| Back to top |
|
|
|
Duplicate Threads
