I've got a security question. Say you have openssh that has openssl
compiled dynamically with it. Running 'ldd /usr/sbin/sshd' on the
openssh binary I get:
libcrypto.so.4 => /lib/libcrypto.so.4 (0x40036000)
[output shortened]
Now, /lib/libcrypto.so.4 is a soft link to some version of libcrypto.so
So, let's say it's linked to /lib/libcrypto.so.0.9.7x and after a few
months a vulnerability is discovered in version 0.9.7x. To fix the
secutiry hole I compile and install the new openssl-0.9.7y which will
then include libcrypto.so.0.9.7y. I should just be able to move
libcrypto.so.0.9.7y into the /lib directory, link /lib/libcrypto.so.4 to
/lib/libcrypto.so.0.9.7y and restart openssh to fix that vulnerability,
correct? Assuming no upgrade is needed for openssh, I shouldn't have to
recompile that as well, right? Just its libraries?
Simply put, isn't the whole point and benefit of dynamically compiled
programs means having the ability to just upgrade libraries that they
depend upon?
Aaron Lopez
PerMedics, Inc. System Administrator
909.558.8155
[email protected]
