Willy, I was using OpenSSL 1.0.2 with zlib 1.2.6, and there is a 1.2.8 which is ~14 months newer then 1.2.6. What version where you using ?
-John -- John Dyer Sent with Airmail On April 3, 2015 at 3:21:50 AM, Willy Tarreau ([email protected]) wrote: On Thu, Apr 02, 2015 at 11:35:16PM +0200, Lukas Tribus wrote: > >> Please provide the output of "haproxy -vv" of the 1.5.11 executable. > >> > >> I guess you have an ABI problem between openssl 1.0.1 and 1.0.2. > > > > I wonder if we are not seeing a case not covered by CVE-2015-0290 : > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0290 > > And linking haproxy 1.5.11 against openssl 1.0.1 would bypass this new > 1.0.2 feature for the time being. Likely that combination is safe. FWIW, I recently saw openvpn crashing when built with openssl 1.0.2 and not with 1.0.1. I later found that it was also using an older liblzo and that 1.0.1 + recent lzo was OK, but I have not retried 1.0.2 with it yet. Thus all I don't yet know if 1.0.2 was responsible for the crashes and I didn't have time to debug it nor retry yet. In your case it's the same problem : two changes at once. I'd try with 1.0.1 first and only then upgrade to 1.0.2 if 1.0.1 proves to be safe. Regards, Willy
