Hello, I'm not a developer but more of an openbsd hobbyist. I'm using current with current packages that are a few days old.
I patched my openbsd servers and revoked all my ssl keys, generated new ones and changed every possible password. Even though, as far as I understood, you can't be sure credentials have not been read out of memory and your system has not been compromised at some point in the past. Anyway, I had a look at the following patch and was reading the comments: <http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig> and came across this line: "Also recompile any statically-linked binaries depending on it" F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: Start End Type Open Ref GrpRef Name 000004f81c500000 000004f81c913000 exe 1 0 0 /usr/local/sbin/dovecot 000004fa2152c000 000004fa219f4000 rlib 0 1 0 /usr/local/lib/dovecot/libdovecot.so.2.0 000004fa1d890000 000004fa1dd7d000 rlib 0 1 0 /usr/lib/libc.so.74.0 000004fa275a7000 000004fa27aa4000 rlib 0 1 0 /usr/local/lib/libiconv.so.6.0 000004fa2bb00000 000004fa2bb00000 rtld 0 1 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. Is it possible to track which ports or packages have statically compiled in ssl support? Do I need to recompile/rebuild the port with the patched libssl library? or better ... but slower: Do I need to recompile every ports to be sure the bug can't be exploited on my openbsd systems? Thank you very much! Kind regards, Didier
