[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?

To: Honza Vlach <janus@xxxxxxxx>
Subject: Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?
From: "Bram Matthys (Syzop)" <syzop@xxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 17:06:38 +0100

Honza Vlach wrote:

I have checked apache mod_ssl and php module, which are both dynamically linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it was compiled against.
Does this mean, that I'm still vulnerable, or it is just version
hardcoded to the binary, while the library itself was sucessfully
reloaded?


The latter...
The thing is that OPENSSL_VERSION_TEXT is used to display the
openssl version (AFAIK there's no alternative method):
    php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT);

OPENSSL_VERSION_TEXT is defined in one of the openssl header files
(opensslv.h) and is a string constant, thus compiled in.

So if ldd shows it's using that lib (you could even lsof it at runtime
to be sure) then you should be ok.

Bram Matthys.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] OpenSSL - dynamically linked binaries?
  - From: Honza Vlach

Prev by Date: Re: [Full-Disclosure] Re: pgp passphrase
Next by Date: RE: [Full-Disclosure] Telnet Sniff Problems
Previous by thread: Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?
Next by thread: Re: [Full-Disclosure] OpenSSL - dynamically linked binaries?
Index(es):
- Date
- Thread