app-text/acroread had a dependancy on dev-libs/openssl-0.9.8* but as far as I can see in the case of my currently installed acroread-9.3.4 it uses it own version > ps -fe | grep acroread mark 17861 12372 2 14:08 ? 00:00:01 /opt/Adobe/Reader9/Reader/intellinux/bin/acroread mark 17914 12397 0 14:08 pts/0 00:00:00 grep --colour=auto acroread > grep -P "libssl|libcrypto" /proc/17861/maps b6682000-b6796000 r-xp 00000000 08:06 492243 /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8 b6796000-b67ac000 rw-p 00114000 08:06 492243 /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8 b67af000-b67ea000 r-xp 00000000 08:06 492244 /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8 b67ea000-b67ee000 rw-p 0003a000 08:06 492244 /opt/Adobe/Reader9/Reader/intellinux/lib/libssl.so.0.9.8 Of course if you use ldd as I assume the output in bug 331753 does, it will show it using the system libs > ldd /opt/Adobe/Reader9/Reader/intellinux/bin/acroread | grep -P "libssl|libcrypto" libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb772b000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb75df000) Reproducible: Always
sounds like those versions that came in bundled, should be removed from the package... propably vulnerable to several bugs.
(In reply to comment #1) > sounds like those versions that came in bundled, should be removed from the > package... propably vulnerable to several bugs. Right. Libraries are removed in acroread-9.4.2-r1. Please however give this a good testing before marking it stable, because I don't really know yet how well our system libraries act as replacement. (Acroread starts up normally and loads them. I'm hoping there won't be any mystery crashes.)
Is fixed in stable acroread 9.4.7 (only version in tree). @security: imho this can be resolved.
(In reply to comment #3) > Is fixed in stable acroread 9.4.7 (only version in tree). > > @security: imho this can be resolved. Thanks; I agree. @security, feel free to reopen if you disagree.