October 2nd, 2003, 05:46 PM
Serious OpenSSL flaw
Check out OpenSSL Notification
OpenSSL, and therefore, maybe some of your programs that depend on OpenSSL for security (Apache, OpenSSH, etc. etc.) may also be vulnerable if they are linked statically.
This is a very serious problem, and I suggest downloading the newest source asap.
Check this out and update your machines.
I haven't found a published exploit yet, but I don't think that is a good idea to wait for it.
Anyway, happy compiling.
Remember, if you aren't using dynamic linked files, recompile any programs that use the SSL libraries.
If you are running a web server, update as soon as possible. It seems an obvious target, since it is protected, etc.
If you have questions on recompiling, if you are an RPM installer, just ask.
Here's the quick and dirty install method
sh-2.05b# mkdir /usr/local/src
sh-2.05b# cd /usr/local/src
sh-2.05b# wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
sh-2.05b# tar -xzvf openssl-0.9.7c.tar.gz
sh-2.05b# ln -s openssl-0.9.7c openssl
sh-2.05b# cd openssl
sh-2.05b# ./config --prefix=/usr/local/openssl
sh-2.05b# make depend
sh-2.05b# make install
sh-2.05b# vi /etc/ld.so.conf
* add /usr/local/openssl/lib to this file
* Then recompile all the other applications that use this.
If you are using RPM or binary installations, get the source for those programs and run
sh-2.05b# ./configure --help | less
in the directory you untar them into.
Read each option, and be sure to be consistent.
Most applications will figure out what you have and use that, but be SURE to point to the correct installation of OpenSSL.
This is usually ./configure --openssl=/usr/local/openssl ..other switches
You may need to recompile your other applications to use this.
No, I\'m not interested in developing a powerful brain. All I\'m after is just a mediocre brain, something like the president of American Telephone and Telegraph Company.
-- Alan Turing on the possibilities of a thinking