[Glass] openssl packaged with GS/64

Norm Green via Glass glass at lists.gemtalksystems.com
Wed Jul 8 12:47:09 PDT 2015

Hi Paul,

On 7/8/2015 12:11 PM, Paul DeBruicker via Glass wrote:
> Hi -
> I noticed that 3.2.7 is shipping with an updated openssl (1.0.2b) and that openssl is prepping to release a new version Thursday  (https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html) which patches a serious vulnerability.
> It is my understanding that because of how the GemStone install scripts set the PATH the version of openssl that ships with GS becomes the de facto version of openssl in use on the system its installed on.  Unless you manually delete the version of openssl that ships with GS.  Is that correct?
Yes that is correct.  GemStone always explicitly loads the SSL libraries 
from $GEMSTONE/lib (64 bit or $GEMSTONE/lib32 (32 bit).
> If that is correct, is there a better way to do this so that users of GS don't have to delete the version of openssl you ship with the product?
You are free to compile a newer/different version of the SSL libs and 
replace the ones in $GEMSTONE.  We also sometimes will do this for you 
and release just the SSL libs.  This is why we designed our usage of SSL 
the way we did.  It is obviously impossible to synchronize our product 
releases with OpenSSL releases.

We always merge the latest versions of SSL into our source code 
repository as soon as SSL is released.  How/when we will formally 
release this SSL release is still TBD.
> How do others handle this?
Good question for the community.  I'm not sure.

> Thanks
> Paul
> _______________________________________________
> Glass mailing list
> Glass at lists.gemtalksystems.com
> http://lists.gemtalksystems.com/mailman/listinfo/glass

More information about the Glass mailing list