mismatch against version of openssl, letter version brokeness

Phil Howard phil-openssh-unix-dev at ipal.net
Sun May 26 06:13:43 EST 2002


What risk exists in changing the check for the matching version of
openssl so that the final letter part of the version (e.g. 0.9.6c
vs. 0.9.6d) is ignored?  Are there any security vulnerabilities in
such a thing?  What if ssh(d) is linked against an older _letter_
version such as 0.9.6c and now finds the library is 0.9.6d?  Is
there a security risk in that?  Surely a major API change would not
happen between version c and version d, would it?

My concern here is that openssl's versioning scheme is broken, and
depending on it causes problems.  For example, I cannot concurrently
have separate executables with some linked to 0.9.6c and some linked
to 0.9.6d and expect them to get the correct library, because the
library itself cannot have concurrent versions installed (hence why
I say it is broken).

-- 
-----------------------------------------------------------------
| Phil Howard - KA9WGN |   Dallas   | http://linuxhomepage.com/ |
| phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/     |
-----------------------------------------------------------------



More information about the openssh-unix-dev mailing list