Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Should I recompile SSL CPAN modules now?

by vsespb (Hermit)
on Apr 08, 2014 at 16:59 UTC ( #1081529=perlquestion: print w/ replies, xml ) Need Help??
vsespb has asked for the wisdom of the Perl Monks concerning the following question:

So, about CVE-2014-0160 (more info)

AFAIK problem persists not only for server side, but for client side too.

After updating openssl libs from vendor, should I recompile IO::Socket::SSL and possibly other CPAN modules which depend on SSL/TLS?

Comment on Should I recompile SSL CPAN modules now?
Re: Should I recompile SSL CPAN modules now?
by zentara (Archbishop) on Apr 08, 2014 at 18:12 UTC
    Sounds like a prudent thing to do, but I wonder what other backdoors they have in there?

    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh

      Backdoors imply they were there on purpose. In fact, OpenSSL is just a big mess.


      "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.

        Isn't the excuse that it's all a big mess the easiest way to provide a cover story for putting in backdoors? I mean look at Microsoft Windows. There was a news release about a year ago which said that just about any Microsoft system gets infected within 30 minutes of being online. Is Microsoft code that big of a mess?

        I'm not really a human, but I play one on earth.
        Old Perl Programmer Haiku ................... flash japh
Re: Should I recompile SSL CPAN modules now?
by mr_mischief (Monsignor) on Apr 08, 2014 at 21:01 UTC

    IO::Socket::SSL depends on Net::SSLeay which actually wraps OpenSSL so if you can get Net::SSLeay rebuilt I think you should be alright. I haven't looked that deeply. Some monk surely knows more.

      Unless you build statically linked versions it should be enough to just install a patched openssl shared library (libssl.so, libcrypto.so). If you are not sure you might check with strace on linux, e.g.:
      $ strace -e open perl -MNet::SSLeay .... open("/lib/x86_64-linux-gnu/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 + + open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) += 3
      If you see these libs loaded dynamically all is fine and you just need to replace them by installing the updated libssl package.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1081529]
Front-paged by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (12)
As of 2014-09-22 16:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (198 votes), past polls