[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#333349: openssl: Must either version symbols or conflict with ALL libraries linked to previous version

Package: openssl
Version: 0.9.8-2
Severity: critical
Justification: breaks unrelated software

OpenSSL does not version symbols.  This means all applications that somehow
end up linked to both openssl 0.9.7 and 0.9.8 segfault or behave otherwise
erratically (which would be a critical bug by itself, as openssl is a
data privacy/authentication framework with severe consequences for overall
system security).

Therefore, ANY new ABI-introducing version of openssl has to conflict with
ALL **libraries** (not applications) that are linked against other openssl
versions.  Not doing so is just hiding the mess for the users to find out as
segfaults.  Transitions like this should be enforced by package
dependencies, always.

The whole deal is made even worse because some of the libraries linking to
openssl are used by PAM modules and/or nssswitch modules, and thus
dlopen()ed by a lot/potentially all applications in the system.

The conflicts are quite messy, but unless either symbol versioning or
another technique that avoids the symbol mess while linked is employed (weak
symbols might do it, I think -- but symbol versioning is much easier to
predict and understand), it is what must be done.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux
Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1)

Versions of packages openssl depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libssl0.9.8                   0.9.8-2    SSL shared libraries

openssl recommends no packages.

-- no debconf information

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: