What's wrong? Or: How to close this hole?
To the SuSE-Security-Team:
Thanks for Cc: security@suse.de. Good idea.
SuSE 7.1:
# rpm -qf /usr/sbin/sendmail sendmail-tls-8.11.2-36
# ldd /usr/sbin/sendmail libdl.so.2 => /lib/libdl.so.2 (0x4001d000) libdb.so.2 => /lib/libdb.so.2 (0x40020000) libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000) libresolv.so.2 => /lib/libresolv.so.2 (0x40044000) libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000) libc.so.6 => /lib/libc.so.6 (0x40060000) libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000) libpam.so.0 => /lib/libpam.so.0 (0x401a9000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
(no libssl or libcrypto here -> openssl hardlinked!)
statically linked, yes.
I just had a brief talk with the maintainer of the SuSE sendmail-tls
package a few doors down the hallway. He said that he regrets that
sendmail-tls is statically linked, but it was a requirement from a time
long ago, imposed by a customer. So I guess that customer is to blame.
Olaf will sent out an announcement in a few minutes that should clarify
the missing snippets in the puzzle for everybody. In fact, more packages
other than just the openssl packages need to be updated in some rare
cases.
Stand by.
Roman.
--
- -
| Roman Drahtmüller