lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <405F0F0E.7080402@vulnscan.org> From: syzop at vulnscan.org (Bram Matthys (Syzop)) Subject: OpenSSL - dynamically linked binaries? Honza Vlach wrote: > I have checked apache mod_ssl and php module, which are both dynamically > linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I > look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it > was compiled against. > > Does this mean, that I'm still vulnerable, or it is just version > hardcoded to the binary, while the library itself was sucessfully > reloaded? The latter... The thing is that OPENSSL_VERSION_TEXT is used to display the openssl version (AFAIK there's no alternative method): php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT); OPENSSL_VERSION_TEXT is defined in one of the openssl header files (opensslv.h) and is a string constant, thus compiled in. So if ldd shows it's using that lib (you could even lsof it at runtime to be sure) then you should be ok. Bram Matthys.
Powered by blists - more mailing lists