MAL:
When mod_ssl compiles, it staticly links in openssl. That is, it makes
a copy of the openssl library parts that it uses, and links it inside it's own binary. I assume it does this so that it can function as an
apache loadable module - maybe there's issues with a loadable modules being dynamically linked elsewhere, who knows :)
But from Tom's report, it does indeed seem to be statically linked. In this (rare?) case, I agree that the GLSA should have pointed it out,
or created a new revision of mod_ssl, (how they would cause it to be emerged after the new openssl, I have no idea).
Right, so is there a way to tell if something is statically linked? I don't see a way to make qpkg do that, but perhaps some more traditional *nix tool does that.
No, only the README of the package in question, or common sense will tell you what to look out for. As I said before, if you're running a security conscious application, it's up to you in the end. Don't trust the tools.
Usually when a vulnerability is found in openssl, mod_ssl also issues an update and notice. Not this time, though, presumably because no changes were required in mod_ssl itself.
If it's statically linked, I don't think any changes to openssl will make any difference. I'd assume they just release a new version to make use of new features.
MAL
-- [EMAIL PROTECTED] mailing list
