Forum OpenACS Q&A: Re: https is down

8: Re: https is down (response to 1)
Posted by Andrew Spencer on

That's a good question Andrew P. The previous version (in woody) is also 0.9.6c-2, but does not have the patch for RSA Blinding. And checking that, I found this tidbit:

Unfortunately, RSA blinding is not thread-safe and will cause failures for programs that use threads and OpenSSL such as stunnel. However, since the proposed fix would change the binary interface (ABI), programs that are dynamically linked against OpenSSL won't run anymore. This is a dilemma we can't solve.

You will have to decide whether you want the security update which is not thread-safe and recompile all applications that apparently fail after the upgrade, or fetch the additional source packages at the end of this advisory, recompile it and use a thread-safe OpenSSL library again, but also recompile all applications that make use of it (such as apache-ssl, mod_ssl, ssh etc.).

However, since only very few packages use threads and link against the OpenSSL library most users will be able to use packages from this update without any problems.

So, there seem to be a couple of options that will (hopefully) solve the problem. Thanks for setting me on the right path, Andrew P.

12: Re: https is down (response to 8)
Posted by Andrew Piskorski on
Andrew S., where did you find that info about "RSA blinding"? Oh, it was here, from April, and the original 17 March advisory. It would be nice to know how serious a security vulnerabilty this really is. From the discussion in Vulnerability Note VU#997481, I suspect it is pretty low risk for most web servers on the Internet. Various googles show a lot of info from back in March.

[grumble grumble] My fairly un-informed take on this is that some of these rushed in security patches are not all that well thought out. Breaking thread-safety by default in a security patch to a formerly thread-safe library strikes me as really obnoxious.