Thread: Security: Heartbleed on N900
View Single Post
reinob is offline reinob
2014-04-17 , 09:26
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#25
Originally Posted by nieldk View Post
Been using my version for a long time, with no issues. But, of course, something may get affected. I cant make any promises, just can observe no issues on my device, actually contrary. I dont seem to have GPS positioning issues (AGPS) as an example - allthough I cant confirm that this is related, it does seem it might be.
+1. I also cannot report any problems using your version.

However we have to understand that many packages/programs are linked to a specific version of libssl and/or libcrypto, so installing your openssl package will only affect programs that link to libcrypto.so and/or libssl.so (which symlink to 1.0.0), but not those linked to lib{ssl|crypto}.so.0.9.8 (= most of Maemo) or even libssl0.9.7 (AFAIK Karam's dsniff -- just hope the guy is OK).

Obviously we (one..) could try brutally renaming/symlinking libssl0.9.8 to libssl1.0.0 and see what breaks. But surely things will break if there's been any kind of API changes (and let's not forget that this, unfortunately, *is* the favorite sport of FOSSy developers).

I suggest someone (somebody do something!) create a Wiki page with the packages depending on ssl 0.9.8 and a note whether source code is available or not and whether compiling with a recent ssl works, and whether it works or not.

Then we can start pushing updated versions to extras (or CSSU, whatever).
 

The Following 3 Users Say Thank You to reinob For This Useful Post: