lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <405F0F0E.7080402@vulnscan.org>
From: syzop at vulnscan.org (Bram Matthys (Syzop))
Subject: OpenSSL - dynamically linked binaries?

Honza Vlach wrote:
> I have checked apache mod_ssl and php module, which are both dynamically
> linked to the libssl.so.0.9.7. The thing, that confuses me lot is, when I
> look on the phpinfo(), it says "OpenSSL version 0.9.7c", which it
> was compiled against. 
> 
> Does this mean, that I'm still vulnerable, or it is just version
> hardcoded to the binary, while the library itself was sucessfully
> reloaded?

The latter...
The thing is that OPENSSL_VERSION_TEXT is used to display the
openssl version (AFAIK there's no alternative method):
     php_info_print_table_row(2, "OpenSSL Version", OPENSSL_VERSION_TEXT);

OPENSSL_VERSION_TEXT is defined in one of the openssl header files
(opensslv.h) and is a string constant, thus compiled in.

So if ldd shows it's using that lib (you could even lsof it at runtime
to be sure) then you should be ok.

	Bram Matthys.


Powered by blists - more mailing lists