Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Should I recompile SSL CPAN modules now?

by vsespb (Hermit)
on Apr 08, 2014 at 16:59 UTC ( #1081529=perlquestion: print w/ replies, xml ) Need Help??
vsespb has asked for the wisdom of the Perl Monks concerning the following question:

So, about CVE-2014-0160 (more info)

AFAIK problem persists not only for server side, but for client side too.

After updating openssl libs from vendor, should I recompile IO::Socket::SSL and possibly other CPAN modules which depend on SSL/TLS?

Comment on Should I recompile SSL CPAN modules now?
Replies are listed 'Best First'.
Re: Should I recompile SSL CPAN modules now?
by mr_mischief (Monsignor) on Apr 08, 2014 at 21:01 UTC

    IO::Socket::SSL depends on Net::SSLeay which actually wraps OpenSSL so if you can get Net::SSLeay rebuilt I think you should be alright. I haven't looked that deeply. Some monk surely knows more.

      Unless you build statically linked versions it should be enough to just install a patched openssl shared library (libssl.so, libcrypto.so). If you are not sure you might check with strace on linux, e.g.:
      $ strace -e open perl -MNet::SSLeay .... open("/lib/x86_64-linux-gnu/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 + + open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) += 3
      If you see these libs loaded dynamically all is fine and you just need to replace them by installing the updated libssl package.
Re: Should I recompile SSL CPAN modules now?
by zentara (Archbishop) on Apr 08, 2014 at 18:12 UTC
    Sounds like a prudent thing to do, but I wonder what other backdoors they have in there?

    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh

      Backdoors imply they were there on purpose. In fact, OpenSSL is just a big mess.


      "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

        Isn't the excuse that it's all a big mess the easiest way to provide a cover story for putting in backdoors? I mean look at Microsoft Windows. There was a news release about a year ago which said that just about any Microsoft system gets infected within 30 minutes of being online. Is Microsoft code that big of a mess?

        I'm not really a human, but I play one on earth.
        Old Perl Programmer Haiku ................... flash japh

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1081529]
Front-paged by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (7)
As of 2015-07-30 02:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (269 votes), past polls