Re: problems with libssl security update
On Thu, Nov 10, 2005 at 12:35:22PM -0800, alex black wrote:
> hi all,
>
> I'm running a locally patched version of libsasl2, look here:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328879
>
> to see why. (basically, once you compile libsasl2 --with-authdaemond,
> authentication with virtual mail users works perfectly and the whole
> system w/postfix and courier becomes easy to set up and maintain)...
> until now:
>
> The libssl security update b0rked TLS on my mail server: courier can't
> speak pop3 ssl or imap ssl, and postfix can't speak TLS.
Could you please specify which version of libssl we're talking
about? It this libssl0.9.7, libssl0.9.8, and what version? Or
maybe some older version?
There have been bugs in libssl0.9.8, but then I have to wonder
how this "security update" affects this. If it is a security
update, it's most likely about libssl0.9.7, and there are no
known problems with it having that effect.
The latest version of libssl0.9.8 in testing should fix all known
bugs with it. But it also triggers bugs in other packages that
don't properly call SSL_library_init() or equivalent.
It seems that cyrus-sasl2 does not call any of those functions,
so I suggest you look at that.
Kurt
Reply to: