This whole thing got started when Tom Eastman posted that he had noticed that, even though he'd upgraded openssl, apache was reporting that the previous version of openssl was in use. This opened the can of worms. Recompiling apache doesn't help (if you're using apache-1.3.x, apache2 might be different since it includes mod_ssl), rather you need to rebuild mod_ssl, then restart apache. So I asked (and am still asking) how would one know to do that? There wasn't a GLSA for mod_ssl, nor does the mod_ssl site mention any vulnerabilties; the last version was released 18 July. I can find out all packages that use openssl via qpkg -I -q, but no one thinks that ALL of those packages need to be rebuilt. I'm trying to understand what constitutes best practices, for the next time a security update is released.
-jto > -----Original Message----- > From: Jeffrey Smelser [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 10:50 AM > To: [EMAIL PROTECTED] > Subject: RE: [gentoo-user] Upgrading OpenSSL > > > Ok, Thats great, it means all you need to do is restart and > dependency packages, such as openssh, to reload the lib.. > > That simple.. > > right? > > Look at it this way... I upgraded mysql from 3x to 4x which > was a LIB change. I ran revdep-rebuild and it recompiled a > few perl apps, and mod_perl too, due to the fact the library > changed. This openssl change DID NOT change the > functionality, just probably a line or two in the code. It > means that just reloading, say openssh, will now call the NEW > lib with the security fix and still work just fine...Since > the library is always called, there is no need to recompile.. > > I am not positive on static links however. Theory suggests > that a change should be detected, I just don't know how deep > revdep-rebuild goes... I don't know of anything that uses > openssl statically.. Do you? Most static apps usually ship > with that static lib and it would have itself came out with a > security alert, right? if YOUR linking things statically, > then YOU should know these apps... > > BTW, I am not a know it all, this is how I understand it to > be.. if I am wrong, please tell me as I am not a linux > messiah here.. :) > -- [EMAIL PROTECTED] mailing list
