On Sun, Feb 26, 2017 at 09:26:06AM +0300, Andrey Ponomarenko wrote: > 31.01.2017, 10:21, "Nikos Mavrogiannopoulos": > > On Fri, 2017-01-27 at 10:54 -0600, Benjamin Kaduk via openssl-dev > > wrote: > >> [moving from github to -dev] > >> > >> On 01/27/2017 07:36 AM, mattcaswell wrote: > >> > 1.0.2 is the software version. > >> > The numbers on the end of lbssl.so.1.0.0 refer to the ABI version - > >> > which is different. Software version 1.0.2 is a drop in replacement > >> > for 1.0.1, which is a drop in replacement for 1.0.0 - hence they > >> > all have the same ABI version. > >> > > >> > >> There was some discussion about 1.0.1 being EoL on a FreeBSD list > >> [0], and whether it would make sense to move to 1.0.2 on their stable > >> branch, which led to someone making the claim that 1.0.2 has removed > >> 4 symbols compared to 1.0.1, and thus is not strictly ABI compatible, > >> linking to https://abi-laboratory.pro/tracker/timeline/openssl/ . If > >> I start semi-randomly clicking around, I can find a page [1] that > >> seems to claim the missing symbols are: > >> ASN1_STRING_clear_free() > >> ENGINE_load_rsax() > >> SRP_user_pwd_free() > >> SRP_VBASE_get1_by_user()
It's normal that you might see some symbols removed if you compare something like 1.0.1t against 1.0.2, but it shouldn't when compared to 1.0.2k. CRYPTO_memcmp was added in 1.0.1d. ASN1_STRING_clear_free was added in 1.0.1m and 1.0.2a In 1.0.1s and 1.0.2g the following were added (for CVE-2016-0798): SRP_VBASE_get1_by_user; SRP_user_pwd_free; ENGINE_load_rsax seems to have been removed because it didn't compile? That looks like the only symbol that has been removed, and it probably shouldn't have. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev