How to link to openssl if two versions of libssl are on the system, when building FreeRadius on Debian wheezy 7.4?

Matthew Newton mcn4 at
Fri May 16 16:39:26 CEST 2014

On Fri, May 16, 2014 at 02:45:24PM +0100, Arran Cudbard-Bell wrote:
> On 16 May 2014, at 14:24, Matthew Newton <mcn4 at LEICESTER.AC.UK> wrote:
> > On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
> >> I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary
> >> package. Already installed on the normal location /usr/lib. => Heartbleed
> >> bug.
> > 
> > Debian's openssl 1.0.1e packaged has been patched, so it's not
> > vulnerable if you're up-to-date with the latest package.
> > 
> > They, like other distributions, annoyingly don't update the
> > version number. So you have to set
> > 
> >> allow_vulnerable_openssl = yes
> > 
> > If you build FR from source as a package, this is all sorted for
> > you - the allow_vulnerable_openssl is automatically set, because
> > the built backage will depend on the correct (patched) version of
> > openssl.
> No, this had to be removed because it broke ubuntu builds.

Why? It's not as if anyone uses Ubuntu for anything serious. ;)

First statement still stands, though. Distro version numbers are
stupidly confusing, and not at all helpful in this situation. As
long as the packages are up-to-date, whatever the version stated,
the system is probably not vulnerable anyway - check distro
package release notes/changelog.



Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list