[Pkg-openssl-devel] Bug#743889: libssl1.0.0: libssl update does not cause applications that use it to restart
Jann Horn
jannpub at thejh.net
Mon Apr 7 23:12:34 UTC 2014
Package: libssl1.0.0
Version: 1.0.1e-2+deb7u5
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
when I did "apt-get update&&apt-get upgrade" today to get a fix for CVE-2014-0160, I got this from apt:
Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u5) ...
Setting up libssl-dev (1.0.1e-2+deb7u5) ...
Setting up openssh-client (1:6.0p1-4+deb7u1) ...
Setting up openssh-server (1:6.0p1-4+deb7u1) ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
Setting up a2ps (1:4.14-1.1+deb7u1) ...
Setting up libxalan2-java (2.7.1-7+deb7u1) ...
Setting up openssl (1.0.1e-2+deb7u5) ...
It restarted OpenSSH... and only OpenSSH. I then ran this command:
root at thejh:/home/jann# for pid in $(grep -F '/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)' /proc/*/maps | cut -d/ -f3 | sort -u); do cat /proc/$pid/cmdline | tr '\0' ' '; echo; done
/usr/lib/erlang/erts-5.9.1/bin/beam -Bd -K true -A 4 -- -root /usr/lib/erlang -progname erl -- -home /var/lib/couchdb -- -noshell -noinput -os_mon start_memsup false start_cpu_sup false disk_space_check_interval 1 disk_almost_full_threshold 1 -sasl errlog_type error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart
/usr/bin/couchjs /usr/share/couchdb/server/main.js
/usr/bin/couchjs /usr/share/couchdb/server/main.js
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf
/usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
/usr/lib/postfix/master
/usr/sbin/vsftpd
/usr/bin/znc -d /etc/znc
pickup -l -t fifo -u -c
anvil -l -t unix -u -c
smtpd -n smtp -t inet -u -c -o stress= -s 2
irssi
/usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 --cd /etc/openvpn --config /etc/openvpn/tun0.conf
qmgr -l -t fifo -u
tlsmgr -l -t unix -u -c
So, uh, looks like although the fixed library is on my system, all the interesting and
maybe-affected services (like couchdb, stunnel, lighttpd, postfix, ...) are still
vulnerable until I reboot my server, which is not exactly standard procedure after
installing updates?
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u1
ii multiarch-support 2.13-38+deb7u1
ii zlib1g 1:1.2.7.dfsg-13
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information:
libssl1.0.0/restart-failed:
libssl1.0.0/restart-services:
More information about the Pkg-openssl-devel
mailing list