OpenSSL Security Update Problems

Yesterday we received and applied a new security update contained in openssl-0.9.8l_2 designed to address “man in the middle attacks” which allows attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL.

As part of the upgrade, the shared object libssl.so.5 was deleted and replaced by libssl.so.7. Unfortunately this caused a number of services that depended on libssl.so.5 to fail. Services that were disrupted included email services, the restarting of apache2, and other services that make use of SSL or TLS connections.

Fortunately this problem was fixed by rebuilding all applications that depend on OpenSSL so that they pick up the new shared object. These applications include:

  • Apache2
  • Qmail
  • SpamAssassin
  • ClamAV
  • Curl
  • gnome-vfs
  • gnutls
  • neon28
  • nmap
  • ntp
  • openldap-client
  • p5-Crypt-OpenSSL-Bignum
  • p5-Crypt-OpenSSL-RSA
  • p5-Crypt-OpenSSL-Random
  • p5-Crypt-SSLeay
  • p5-Net-SSLeay
  • php5-curl
  • php5-ftp
  • php5-imap
  • php5-openssl
  • proftpd
  • soup
  • subversion
  • squirrelmail
  • wget

We believe we have identified and rebuilt all applications impacted and we are continueing to monitor the situation to identify other possible failures.

UPDATE: 01/16/2009

We have completed a sweep of all of shared objects using ldd. This process identified a few more rebuilds (not listed above) to some packages not in general production use. The upgrade of OpenSSL is now complete.

Leave a Reply