Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: Package sendmail-tls with openssl vulnerability?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Thu, 19 Sep 2002 18:17:20 +0200 (MEST)
  • Message-id: <Pine.LNX.4.44.0209191804500.28320-100000@xxxxxxxxxxxx>
> > What's wrong? Or: How to close this hole?
>
> To the SuSE-Security-Team:

Thanks for Cc: security@xxxxxxxx Good idea.

> SuSE 7.1:
>
> # rpm -qf /usr/sbin/sendmail
> sendmail-tls-8.11.2-36
>
> # ldd /usr/sbin/sendmail
> libdl.so.2 => /lib/libdl.so.2 (0x4001d000)
> libdb.so.2 => /lib/libdb.so.2 (0x40020000)
> libnsl.so.1 => /lib/libnsl.so.1 (0x4002e000)
> libresolv.so.2 => /lib/libresolv.so.2 (0x40044000)
> libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40055000)
> libc.so.6 => /lib/libc.so.6 (0x40060000)
> libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40173000)
> libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017a000)
> libpam.so.0 => /lib/libpam.so.0 (0x401a9000)
> /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
>
> (no libssl or libcrypto here -> openssl hardlinked!)

statically linked, yes.

I just had a brief talk with the maintainer of the SuSE sendmail-tls
package a few doors down the hallway. He said that he regrets that
sendmail-tls is statically linked, but it was a requirement from a time
long ago, imposed by a customer. So I guess that customer is to blame.

Olaf will sent out an announcement in a few minutes that should clarify
the missing snippets in the puzzle for everybody. In fact, more packages
other than just the openssl packages need to be updated in some rare
cases.

Stand by.

Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -



< Previous Next >
References