OpenSSL - what have I actually done!?

[Jeff Tupholme <jeff-lists%makemyshow.com@localhost>]

Hi,

I've been updating an install of NetBSD 3.1 to get the Web server as  
current as possible. Apache itself was no problem as I had installed  
it from pkgsrc, so I simply downloaded the latest version.

However, I noticed from the Apache signature that my OpenSSL was an  
old version. I hadn't installed this from pkgsrc so I realised it had  
come with the base system. Looking at the security advisories, where  
a couple of patches for it are advised, I saw how to update it. In  
short, I downloaded the source tarballs for lib/ and crypto/,  
unpacked them into /usr/src and followed the instructions for  
patching OpenSSL. The install seemed to work and I now have new  
versions of /usr/lib/libcrypto* and /usr/lib/libssl*.

However, when I look again at the signature being given by Apache  
(and yes, I have stopped and started it) I still see the old version  
number for OpenSSL - it hasn't changed. I'm wondering now what I've  
actually done as I expected OpenSSL to be rebuilt when building the  
libs with 'dependall' specified. A newer version exists in pkgsrc.

Am I to understand that I've patched the underlying libraries for  
issues that have been identified that are specific to NetBSD, but not  
updated OpenSSL itself for the many general changes that have taken  
place between my old version and the current one? (So in effect I  
have only slightly improved my position.)

It seems to me that I should rebuild OpenSSL itself from source as  
well. How would I know where to find it in the source tarballs,  
please? Why does it exist in pkgsrc when it is part of the base system?

Any advice on how to proceed, or indeed how I should have approached  
this from the beginning, much appreciated.


Thanks & regards,

Jeff