[LON-CAPA-admin] Re: [LON-CAPA-dev] Fwd: [suse-security-announce] OpenSSH Vulnerability

Martin Siegert siegert at sfu.ca
Wed Jul 3 16:54:58 EDT 2002 

On Wed, Jul 03, 2002 at 04:32:48PM -0400, Guy Albertelli II wrote:
> Hi Martin
> 
> > > The big problem is RedHat 6.2:
> > > openssh-3.3p1 requires openssl-0.9.6 or later. RedHat 6.2 uses
> > > openssl-0.9.5a. The only option I see right now is to upgrade openssl
> > > (e.g., by recompiling a RedHat 7.x src rpm). However, openssl is used
> > > by apache and others. Has anybody tried to run apache under RedHat 6.2
> > > with openssl-0.9.6 or later? Does it break everything? Is there somewhere
> > > a development/test LON-CAPA box running RH6.2 where this could be tested?
> > 
> > Yes I have 2 rh6.2 boxes I can test this out on. I will try it out
> > tommorrow.
> 
> As far as I can tell a standard apache install under RedHat 6.2
> doesn't care what version of openssl is installed.
> 
> I was able to upgrade the openssl to 0.9.6 and apache worked fine.
> 
> However I needed to downgrade back to openssl-0.9.5.a to run your pached ssh
> server on the machine, and the standard RH ssh servers won't install
> due to the dependency on the newer libc

Yes, as soon as I saw how small the actual patch was that the openssh team
provided I decided that it is actually easier to patch the openssh-2.9
version than to try to upgrade openssl without knowing what might break.
On RH 6.2 (dalton):

# rpm -e --test openssl
error: removing these packages would break dependencies:
	openssl is needed by libpcap-0.6.2-11.6.2.0
	libcrypto.so.0 is needed by python-1.5.2-27.6.x
	libcrypto.so.0 is needed by slrn-0.9.6.4-0.6
	libcrypto.so.0 is needed by snort-1.7-1
	libcrypto.so.0   is needed by mutt-1.2.5.1-0.6
	libcrypto.so.0   is needed by pine-4.44-1.62.0
	libcrypto.so.0   is needed by fetchmail-5.9.0-9
	libcrypto.so.0   is needed by tcpdump-3.6.2-11.6.2.0
	libcrypto.so.0   is needed by openssh-2.9p2-14.6.x
	libcrypto.so.0   is needed by openssh-clients-2.9p2-14.6.x
	libcrypto.so.0   is needed by openssh-server-2.9p2-14.6.x
	libssl.so.0 is needed by python-1.5.2-27.6.x
	libssl.so.0 is needed by slrn-0.9.6.4-0.6
	libssl.so.0 is needed by snort-1.7-1
	libssl.so.0   is needed by mutt-1.2.5.1-0.6
	libssl.so.0   is needed by pine-4.44-1.62.0
	libssl.so.0   is needed by fetchmail-5.9.0-9

Strangely enough apache does not appear at all! Inquiring a little bit more:

# rpm -qR apache
/etc/mime.types  
/sbin/chkconfig  
/bin/mktemp  
/bin/rm  
mailcap  
grep  
textutils  
/bin/sh  
/bin/sh  
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
ld-linux.so.2  
libcrypt.so.1  
libc.so.6  
libdb.so.3  
libdl.so.2  
libm.so.6  
/bin/sh  
/usr/bin/perl  
libcrypt.so.1(GLIBC_2.0)  
libc.so.6(GLIBC_2.0)  
libc.so.6(GLIBC_2.1)  
libdl.so.2(GLIBC_2.0)  
libdl.so.2(GLIBC_2.1)  
libm.so.6(GLIBC_2.0)

and

# rpm -qf /lib/libcrypt.so.1 
glibc-2.1.3-23

Thus it seems that apache does not even use openssl?? I did not know this.
Anyway - it just looked easier to patch than to upgrade openssl.
There also is a large patch required in order to use openssh-3.4p1 for
2.2 kernels (which you can pull out of the Mandrake src.rpm that they released
yesterday). All of that does not seem to be worth the effort.
Sorry for causing you to go through the pain of upgrading/downgrading
openssl.

Cheers,
Martin

More information about the LON-CAPA-admin mailing list