I've found it depends, on both the programing linking and the libraries linked.
If the library because of the security upgrade has now changed some core functionality then pretty much you have to rebuild anything linked to it. Usually said change will be very publicly noted in the readme's so that other program authors insure their program still works. BUT if the library hasn't changed the "api" which programs such as openssh depend on you should be able to just upgrade inplace. Usually library changes only occur in major revisions such as the jump from OpenSSL 0.9.6 to 0.9.7. YMMV, for me if there is an exploit for OpenSSL I usually try to rebuild anything linked to it just on principle, I find this is more a product of my work in/with Solaris. Since my experience with Solaris's dynamic library linking has been an exercise in pain. - Brian Aaron Lopez wrote: >I've got a security question. Say you have openssh that has openssl >compiled dynamically with it. Running 'ldd /usr/sbin/sshd' on the >openssh binary I get: > libcrypto.so.4 => /lib/libcrypto.so.4 (0x40036000) > [output shortened] >Now, /lib/libcrypto.so.4 is a soft link to some version of libcrypto.so >So, let's say it's linked to /lib/libcrypto.so.0.9.7x and after a few >months a vulnerability is discovered in version 0.9.7x. To fix the >secutiry hole I compile and install the new openssl-0.9.7y which will >then include libcrypto.so.0.9.7y. I should just be able to move >libcrypto.so.0.9.7y into the /lib directory, link /lib/libcrypto.so.4 to >/lib/libcrypto.so.0.9.7y and restart openssh to fix that vulnerability, >correct? Assuming no upgrade is needed for openssh, I shouldn't have to >recompile that as well, right? Just its libraries? > Simply put, isn't the whole point and benefit of dynamically compiled >programs means having the ability to just upgrade libraries that they >depend upon? > > > >Aaron Lopez >PerMedics, Inc. System Administrator >909.558.8155 >[email protected] > >_______________________________________________ >909linux mailing list >[email protected] >http://909linux.org/cgi-bin/mailman/listinfo/909linux > >
