[openssl-users] Applying security patches to 0.9.8a

Dennis Clarke dclarke at blastwave.org
Tue Apr 17 22:59:29 UTC 2018


On 17/04/18 06:36 PM, Rob Marshall wrote:
> Hi,
> 
> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
> 
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
> 
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?
> 

The ABI is very stable.  You would do well to build the latest openssl
as Rich Salz says.  The dates on this page are a mess but you need the
latest :  https://www.openssl.org/source/old/0.9.x/

So build it into a user home directory like $HOME/local and then set
your LD_LIBRARY_PATH to point to that new lib dir and test your apps
against it.  There should be a major issue.

If all goes well, as it should, just build the libs into /usr/local/ssl
and test your apps again.

If that goes well ... you could backup your old libs and symlink in the
new ones you just built.

Just an idea.  Not perfect.

Dennis


More information about the openssl-users mailing list