Re: DSA-288 - a question

To: debian-security@lists.debian.org
Subject: Re: DSA-288 - a question
From: Jason Lunz <lunz@falooley.org>
Date: Tue, 22 Apr 2003 23:00:13 +0000 (UTC)
Message-id: <[🔎] slrnbabidj.ngi.lunz@stoli.localnet>
References: <[🔎] 20030422192238.GA4376@menel>

porridge@debian.org said:
> DSA 288 [0] says:
> 
> ]  You will have to decide whether you want the security update which is
> ]  not thread-safe and recompile all applications that apparently fail
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ]  after the upgrade, [...]
> 
> Does that mean that installing 0.9.6c-2.woody.3 and then recompiling
> e.g. stunnel against it will make it work fine even though openssl won't
> be thread-safe?

The DSA implies that, but I don't think it's correct.

> If so, can anyone explain how recompiling an application can help?
> (There are no differences in the library interface between
> openssl-0.9.6c-2.woody.2 and openssl-0.9.6c-2.woody.3)

You're right. if a threaded app is broken after an upgrade to -2.woody.3
then recompiling won't help. 

> If not, then what does it refer to, and is there any way to make
> threaded apps work with openssl 0.9.6c-2.woody.3?

You can make a threaded ssl app safe again by using openssl
0.9.6c-2.woody.4. At the end of DSA 288 are some links to
http://master.debian.org/~joey/NMU/, where there's both a patch that
converts the -2.woody.3 source package to .4 and the actual source
package with the patch applied.

So get the .4 sources, or apply the patch to the .3 sources, then
compile your own libssl-dev -woody.4 package. Install that, then
recompile any threaded ssl apps you have.

Jason

Reply to:

References:
- DSA-288 - a question
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: Re: HELP, my Debian Server was hacked!
Next by Date: Re: ptrace patch for vanilla kernel 2.4.20
Previous by thread: DSA-288 - a question
Next by thread: Re: DSA-288 - a question
Index(es):
- Date
- Thread