On Wed, Jul 31, 2002 at 01:59:09PM +0200, Ralph Angenendt wrote:
Roman Drahtmueller wrote:
Content of this advisory: 1) security vulnerability resolved: openssl problem description, discussion, solution and upgrade information
Just one question: We still use SuSE EmailServer-2 which uses sslwrap to enable imaps and pop3s on the server. sslwrap doesn't seem to be dynamically linked to OpenSSL:
ldd /usr/sbin/sslwrap libc.so.6 => /lib/libc.so.6 (0x40018000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Is this a statically linked binary or does sslwrap use its own SSL-Code, meaning that it's not vulnerable?
sslwrap uses OpenSSL. In fact, if there is no other packet with the same name around, sslwrap is an old software based on the OpenSSL "s_server" functionality. (I don't know when it forked off, it may even be that the library was named SSLeay at that time). It should therefore be considered to be vulnerable. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus