Didier Wiroth <dwir...@gmail.com> writes: > Hello, > I'm not a developer but more of an openbsd hobbyist. > I'm using current with current packages that are a few days old. > > I patched my openbsd servers and revoked all my ssl keys, generated > new ones and changed every possible password. > Even though, as far as I understood, you can't be sure credentials > have not been read out of memory and your system has not been > compromised at some point in the past. > Anyway, I had a look at the following patch and was reading the comments: > <http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig> > and came across this line: > "Also recompile any statically-linked binaries depending on it" > > F.ex. I use dovecot: > # ldd `which dovecot` > /usr/local/sbin/dovecot: > Start End Type Open Ref GrpRef Name > 000004f81c500000 000004f81c913000 exe 1 0 0 /usr/local/sbin/dovecot > 000004fa2152c000 000004fa219f4000 rlib 0 1 0 > /usr/local/lib/dovecot/libdovecot.so.2.0 > 000004fa1d890000 000004fa1dd7d000 rlib 0 1 0 /usr/lib/libc.so.74.0 > 000004fa275a7000 000004fa27aa4000 rlib 0 1 0 > /usr/local/lib/libiconv.so.6.0 > 000004fa2bb00000 000004fa2bb00000 rtld 0 1 0 /usr/libexec/ld.so > > The following library is not listed: /usr/lib/libssl.so.20.0 > So I guess ssl was statically compiled in the dovecot package/port, as > dovecot supports ssl and I currently use it.
/usr/local/sbin/dovecot is not the listener facing the network. ldd /usr/local/libexec/dovecot/imap-login > Is it possible to track which ports or packages have statically > compiled in ssl support? I can't think of a reliable way to do this. I doubt there are many of such ports. > Do I need to recompile/rebuild the port with the patched libssl library? > or better ... but slower: > Do I need to recompile every ports to be sure the bug can't be > exploited on my openbsd systems? Your call. Note that dpb makes it easy. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
