How to link to openssl if two versions of libssl are on the system, when building FreeRadius on Debian wheezy 7.4?
Matthew Newton
mcn4 at leicester.ac.uk
Fri May 16 16:39:26 CEST 2014
On Fri, May 16, 2014 at 02:45:24PM +0100, Arran Cudbard-Bell wrote:
>
> On 16 May 2014, at 14:24, Matthew Newton <mcn4 at LEICESTER.AC.UK> wrote:
>
> > On Fri, May 16, 2014 at 03:52:36PM +0300, Rani Ahmed wrote:
> >> I have from Debian wheezy repository : OpenSSL 1.0.1*e* as a binary
> >> package. Already installed on the normal location /usr/lib. => Heartbleed
> >> bug.
> >
> > Debian's openssl 1.0.1e packaged has been patched, so it's not
> > vulnerable if you're up-to-date with the latest package.
> >
> > They, like other distributions, annoyingly don't update the
> > version number. So you have to set
> >
> >> allow_vulnerable_openssl = yes
> >
> > If you build FR from source as a package, this is all sorted for
> > you - the allow_vulnerable_openssl is automatically set, because
> > the built backage will depend on the correct (patched) version of
> > openssl.
>
> No, this had to be removed because it broke ubuntu builds.
Why? It's not as if anyone uses Ubuntu for anything serious. ;)
First statement still stands, though. Distro version numbers are
stupidly confusing, and not at all helpful in this situation. As
long as the packages are up-to-date, whatever the version stated,
the system is probably not vulnerable anyway - check distro
package release notes/changelog.
Cheers
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list