I see... ;) Hmm, I am going to have to go home tonight and look into this.. revdep IS suppose to detect this. Or is this one thats static??
Static, like I said, is where I am not sure of.. and I don't use mod_ssl at home so I would have to install this.. Anyone know? > -----Original Message----- > From: Joel Osburn [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 1:04 PM > To: [EMAIL PROTECTED] > Subject: RE: [gentoo-user] Upgrading OpenSSL > > > This whole thing got started when Tom Eastman posted that he > had noticed > that, even though he'd upgraded openssl, apache was reporting that the > previous version of openssl was in use. This opened the can of worms. > Recompiling apache doesn't help (if you're using apache-1.3.x, apache2 > might be different since it includes mod_ssl), rather you need to > rebuild mod_ssl, then restart apache. So I asked (and am > still asking) > how would one know to do that? There wasn't a GLSA for mod_ssl, nor > does the mod_ssl site mention any vulnerabilties; the last > version was > released 18 July. I can find out all packages that use > openssl via qpkg > -I -q, but no one thinks that ALL of those packages need to > be rebuilt. > I'm trying to understand what constitutes best practices, for the next > time a security update is released. > > -jto > > > -----Original Message----- > > From: Jeffrey Smelser [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 08, 2003 10:50 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [gentoo-user] Upgrading OpenSSL > > > > > > Ok, Thats great, it means all you need to do is restart and > > dependency packages, such as openssh, to reload the lib.. > > > > That simple.. > > > > right? > > > > Look at it this way... I upgraded mysql from 3x to 4x which > > was a LIB change. I ran revdep-rebuild and it recompiled a > > few perl apps, and mod_perl too, due to the fact the library > > changed. This openssl change DID NOT change the > > functionality, just probably a line or two in the code. It > > means that just reloading, say openssh, will now call the NEW > > lib with the security fix and still work just fine...Since > > the library is always called, there is no need to recompile.. > > > > I am not positive on static links however. Theory suggests > > that a change should be detected, I just don't know how deep > > revdep-rebuild goes... I don't know of anything that uses > > openssl statically.. Do you? Most static apps usually ship > > with that static lib and it would have itself came out with a > > security alert, right? if YOUR linking things statically, > > then YOU should know these apps... > > > > BTW, I am not a know it all, this is how I understand it to > > be.. if I am wrong, please tell me as I am not a linux > > messiah here.. :) > > > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list