Alexandre Biancalana wrote: > $ grep -lr SSL_get_shared_ciphers /usr/src 2> /dev/null > /usr/src/crypto/openssl/apps/s_client.c > /usr/src/crypto/openssl/apps/s_server.c > /usr/src/crypto/openssl/doc/ssleay.txt > /usr/src/crypto/openssl/doc/ssl/ssl.pod > /usr/src/crypto/openssl/ssl/ssl.h > /usr/src/crypto/openssl/ssl/ssl_lib.c > /usr/src/crypto/openssl/util/ssleay.num > /usr/src/secure/lib/libssl/man/ssl.3 > > Doesn't revel much about what is affected by this bug.... Have someone made > some deeper analysis about what is affected ?
It doesn't look like anything in the base system uses this function, but I just zgrepped my /usr/ports/distfiles and found that mysql uses this if it is compiled with DBUG_OFF not defined. Assuming that you keep all of your ports distfiles, you can run $ zgrep -R SSL_get_shared_ciphers /usr/ports/distfiles and any applications which use said function will probably show up. But as for a deep analysis -- not that I'm aware of. We fixed this because there might be an application which used this function in a way which made this buffer overflow exploitable, not because we knew that such an application existed. Colin Percival FreeBSD Security Officer _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"