Bug#333349: openssl: Must either version symbols or conflict with ALL libraries linked to previous version
Package: openssl
Version: 0.9.8-2
Severity: critical
Justification: breaks unrelated software
OpenSSL does not version symbols. This means all applications that somehow
end up linked to both openssl 0.9.7 and 0.9.8 segfault or behave otherwise
erratically (which would be a critical bug by itself, as openssl is a
data privacy/authentication framework with severe consequences for overall
system security).
Therefore, ANY new ABI-introducing version of openssl has to conflict with
ALL **libraries** (not applications) that are linked against other openssl
versions. Not doing so is just hiding the mess for the users to find out as
segfaults. Transitions like this should be enforced by package
dependencies, always.
The whole deal is made even worse because some of the libraries linking to
openssl are used by PAM modules and/or nssswitch modules, and thus
dlopen()ed by a lot/potentially all applications in the system.
The conflicts are quite messy, but unless either symbol versioning or
another technique that avoids the symbol mess while linked is employed (weak
symbols might do it, I think -- but symbol versioning is much easier to
predict and understand), it is what must be done.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.4-debian1+libata+bluesmoke+imq+lm85
Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1)
Versions of packages openssl depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libssl0.9.8 0.9.8-2 SSL shared libraries
openssl recommends no packages.
-- no debconf information
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: