https://stackoverflow.com/questions/22945620
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHaving an embedded NGinX doesn't mean it won't use the /usr/bin/openssl installed on your system. (for instance, the ngx_http_ssl_module does require openssl)
If that openssl is 1.0.1g or 1.0.2, you won't have any issue.
openssl version
If not, it is easy enough to recompile it and install it.
To be sure, you can type:
ldd /path/to/nginx
That will give you the path of the openssl used by the binary nginx.
To get the full path, you can then use
readlink -f /path/to/libssl.so.1.0.0
Bruno adds in the comments:
It's probably more about
/lib/*/libssl.so.1.0.0than/usr/bin/openssl(whichlddshould indicate indeed).
In principle, upgrading to the package with the fix and restarting NGinX should fix the issue.Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches
The OP crushedGrass points out in the comments Jacob Vosmaer (jacobvosmaer)'s commit "Update omnibus-software (CVE-2014-0160)", in omnibus-gitlab
so all I had to do was run a reconfiguration.
I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up.
GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream.
