Red Hat Bugzilla – Bug 74094
OpenSSL bounds checking problem
Last modified: 2007-03-26 23:57:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607
Description of problem:
There exists a buffer overflow bug in all versions of OpenSSL < 0.9.6e which
affects (among other things) Apache server using mod_ssl. For details, please
see the URL http://online.securityfocus.com/bid/5363 which describes the problem
in more detail than I could...
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Actual Results: N/A
Expected Results: N/A
I realize that a large part of the problem is that the OpenSSL team keeps
breaking binary compatibility without updating the version number (besides a
silly letter at the end), but you guys aren't really doing a very good job of
keeping up with OpenSSL updates, and now we have a serious problem.
Because you have decided to work around the version problem by bumping up the
version number on the shared library, it is now also virtually impossible for
administrators to update OpenSSL on our own without having to recompile a whole
bunch of other programs. You have created a fictional shared library which is
incompatible with the way the rest of the world manages dependencies upon
OpenSSL, which is and should be still at libcrypto.0, et. al.
This problem manifests itself in other ways, too; i.e. Apache 2.0 depends upon
OpenSSL 0.9.6e or greater, so it's a great deal of work to get it working on Red
Hat, for the same reasons as above.
I understand (at least partially) the difficulties, but I really think you need
to find a better way to work around the versioning issues. Though actually, if
you have a document somewhere that addresses the problem in detail, especially
if it has a sensible work-around to these problems, I'd certainly like to know
We fixed the OpenSSL vulnerabilities by backporting the security fixes, see
> Apache 2.0 depends upon OpenSSL 0.9.6e or greater
This was actually a mistake by the Apache group made in a commit at the last
minute of a release without the consequences being thought through. The next
Apache 2.0 release simply warns about the OpenSSL version number.