MAL: >When mod_ssl compiles, it staticly links in openssl. That is, it makes >a copy of the openssl library parts that it uses, and links it inside >it's own binary. I assume it does this so that it can function as an >apache loadable module - maybe there's issues with a loadable modules >being dynamically linked elsewhere, who knows :) > >But from Tom's report, it does indeed seem to be statically linked. >In this (rare?) case, I agree that the GLSA should have pointed it out, >or created a new revision of mod_ssl, (how they would cause it to be >emerged after the new openssl, I have no idea).
Right, so is there a way to tell if something is statically linked? I don't see a way to make qpkg do that, but perhaps some more traditional *nix tool does that. Usually when a vulnerability is found in openssl, mod_ssl also issues an update and notice. Not this time, though, presumably because no changes were required in mod_ssl itself. -jto -- [EMAIL PROTECTED] mailing list