[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: OpenSSL - what have I actually done!?
On 18 Sep 2008, at 7:32am, Bernd Ernesti wrote:
On Wed, Sep 17, 2008 at 11:25:46PM +0100, Jeff Tupholme wrote:
I've been updating an install of NetBSD 3.1 to get the Web server as
current as possible. Apache itself was no problem as I had installed
it from pkgsrc, so I simply downloaded the latest version.
However, I noticed from the Apache signature that my OpenSSL was an
old version. I hadn't installed this from pkgsrc so I realised it had
come with the base system. Looking at the security advisories, where
a couple of patches for it are advised, I saw how to update it. In
short, I downloaded the source tarballs for lib/ and crypto/,
unpacked them into /usr/src and followed the instructions for
patching OpenSSL. The install seemed to work and I now have new
versions of /usr/lib/libcrypto* and /usr/lib/libssl*.
However, when I look again at the signature being given by Apache
(and yes, I have stopped and started it) I still see the old version
number for OpenSSL - it hasn't changed. I'm wondering now what I've
actually done as I expected OpenSSL to be rebuilt when building the
libs with 'dependall' specified. A newer version exists in pkgsrc.
You also installed the new include files (where the openssl version
IMHO you have to rebuild apache again. The 'old' binaries are using
the old openssl libraries.
The major version of the libararies are recorded in the binaries.
And so it would still use the old version if there is a new library
which has a new major version.
And no, do NOT remove the old openssl libraries from your system now.
That would not solve your problem and you have a system which is
due too the missing libraries.
It may be better to ask on current-users about your problem, but there
are some information missing from your mail:
- which source tarfiles did you download
- is there now more then one major version for libcrypto and libssl on
your system (in /usr/lib and /lib).
Thanks for the reply. I didn't specifically do anything with the
includes but I completed the instructions for applying the patches,
i.e., doing a 'make install'. I've checked the libraries and I have
one major version of each, being /lib/libcrypto.so.2.1 and /usr/lib/
I hadn't thought about rebuilding mod_ssl but it's an idea. However,
when I run 'openssl version' from the command line it tells me that
this is still the old version, so I think it goes deeper than Apache.
Regarding the tarballs, I downloaded the original 3.1 versions and
then updated them with CVS (forgot to mention that in my original
I guess on reflection I'm just not really sure what applying a
security advisory is supposed to give me. The security page on the
Web site is all about the advisory procedure rather than the end
result. There seems to me to be a gap between applying these low-
level patches and the application-level rebuilds one can do with
pkgsrc. OpenSSL, as an application that comes with the base system,
would seem to fall into that gap.
Main Index |
Thread Index |