26.02.2017, 16:27, "Kurt Roeckx":
> On Sun, Feb 26, 2017 at 09:26:06AM +0300, Andrey Ponomarenko wrote:
>> 31.01.2017, 10:21, "Nikos Mavrogiannopoulos":
>> > On Fri, 2017-01-27 at 10:54 -0600, Benjamin Kaduk via openssl-dev
>> > wrote:
>> >> [moving from github to -dev]
>> >>
>> >> On 01/27/2017 07:36 AM, mattcaswell wrote:
>> >> > 1.0.2 is the software version.
>> >> > The numbers on the end of lbssl.so.1.0.0 refer to the ABI version -
>> >> > which is different. Software version 1.0.2 is a drop in replacement
>> >> > for 1.0.1, which is a drop in replacement for 1.0.0 - hence they
>> >> > all have the same ABI version.
>> >> >
>> >>
>> >> There was some discussion about 1.0.1 being EoL on a FreeBSD list
>> >> [0], and whether it would make sense to move to 1.0.2 on their stable
>> >> branch, which led to someone making the claim that 1.0.2 has removed
>> >> 4 symbols compared to 1.0.1, and thus is not strictly ABI compatible,
>> >> linking to https://abi-laboratory.pro/tracker/timeline/openssl/ . If
>> >> I start semi-randomly clicking around, I can find a page [1] that
>> >> seems to claim the missing symbols are:
>> >> ASN1_STRING_clear_free()
>> >> ENGINE_load_rsax()
>> >> SRP_user_pwd_free()
>> >> SRP_VBASE_get1_by_user()
>
> It's normal that you might see some symbols removed if you compare
> something like 1.0.1t against 1.0.2, but it shouldn't when compared
> to 1.0.2k.
>
> CRYPTO_memcmp was added in 1.0.1d.
>
> ASN1_STRING_clear_free was added in 1.0.1m and 1.0.2a
>
> In 1.0.1s and 1.0.2g the following were added (for CVE-2016-0798):
> SRP_VBASE_get1_by_user;
> SRP_user_pwd_free;
>
> ENGINE_load_rsax seems to have been removed because it didn't
> compile? That looks like the only symbol that has been removed,
> and it probably shouldn't have.
>
> Kurt
I found new ABI navigator reports to be very useful when checking for these symbols:
https://abi-laboratory.pro/index.php?view=navigator&selected=SRP_VBASE_get1_by_user#result
https://abi-laboratory.pro/index.php?view=navigator&selected=ASN1_STRING_clear_free#result
Thank you.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev