On Wed, Sep 17, 2008 at 11:25:46PM +0100, Jeff Tupholme wrote:
Hi,
I've been updating an install of NetBSD 3.1 to get the Web server as
current as possible. Apache itself was no problem as I had installed
it from pkgsrc, so I simply downloaded the latest version.
However, I noticed from the Apache signature that my OpenSSL was an
old version. I hadn't installed this from pkgsrc so I realised it had
come with the base system. Looking at the security advisories, where
a couple of patches for it are advised, I saw how to update it. In
short, I downloaded the source tarballs for lib/ and crypto/,
unpacked them into /usr/src and followed the instructions for
patching OpenSSL. The install seemed to work and I now have new
versions of /usr/lib/libcrypto* and /usr/lib/libssl*.
However, when I look again at the signature being given by Apache
(and yes, I have stopped and started it) I still see the old version
number for OpenSSL - it hasn't changed. I'm wondering now what I've
actually done as I expected OpenSSL to be rebuilt when building the
libs with 'dependall' specified. A newer version exists in pkgsrc.
You also installed the new include files (where the openssl version
is)?
IMHO you have to rebuild apache again. The 'old' binaries are using
the old openssl libraries.
The major version of the libararies are recorded in the binaries.
And so it would still use the old version if there is a new library
which has a new major version.
And no, do NOT remove the old openssl libraries from your system now.
That would not solve your problem and you have a system which is
broken
due too the missing libraries.
It may be better to ask on current-users about your problem, but there
are some information missing from your mail:
- which source tarfiles did you download
- is there now more then one major version for libcrypto and libssl on
your system (in /usr/lib and /lib).