|
|
Boost Users : |
Subject: Re: [Boost-users] about CVE-2008-5077(vulnerability of OpenSSL)
From: Zeljko Vrba (zvrba_at_[hidden])
Date: 2009-01-19 13:04:58
On Mon, Jan 19, 2009 at 08:10:13PM +0900, Shinya TAKEBAYASHI wrote:
>
> Now, I'm anxious about the impacts by
> CVE-2008-5077(vulnerability of OpenSSL).
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5077
>
> Does anyone have information on the impacts given to boost::asio?
>
This is a generic answer pertining to any kind of 3rd-party library:
1. if you distribute your application in binary form that is _statically_
linked to the library in question, you distribute the vulnerability together
with the application. Fix: YOU have to distribute updated binaries.
2. if you distribute your application in in source form OR in binary form that
is _dynamically_ linked to the library in question, the library version
which is found at the user's machine is used. Fix: the USERS have to make
sure that they have patched their libraries before compiling or running
the program.
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net