SUMMARY: openssl Vulnerabilities in ASN.1 parsing

From: Garrett, Matt M SITI-ITDIEEE <>
Date: Thu Oct 02 2003 - 05:06:35 EDT

Thanks to the all the people who replied.

Half seemed to think that you did not need to recompile openssh
the other half said you had to.

However I believe Dan Astoorian has the answer.
> My feeling is no because openssh and other such programs were not compiled
> a static programs.

Are you certain of that?  I don't know what versions you're using or
where you got them from, but the default for OpenSSL is to build static
libraries only.  Furthermore, if you are using dynamic libraries, then
depending on what version you upgraded to and from, the application
interface may not be compatible between OpenSSL releases.  The INSTALL
file for OpenSSL explicitly says:

| Shared library is currently an experimental feature.  The only reason to
| have them would be to conserve memory on systems where several program
| are using OpenSSL.  Binary backward compatibility can't be guaranteed
| before OpenSSL version 1.0.

This basically means that if OpenSSH is compiled to use dynamic OpenSSL
libraries, then upgrading the libraries may or may not break OpenSSH.

Which means that all programs that rely on openssl need to be re-compiled.

Looks like I have a busy morning re-compiling openssl , openssh ,


Matthew Garrett
Unix System Support
Shell Information Technology International Limited
Seafield House, North Anderson Drive, Aberdeen AB15 6GZ, United Kingdom
sunmanagers mailing list
Received on Thu Oct 2 05:06:27 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:23 EST