[Pkg-openssl-devel] Bug#743889: Bug#743889: libssl1.0.0: libssl update does not cause applications that use it to restart

[Kurt Roeckx]

On Tue, Apr 08, 2014 at 01:12:34AM +0200, Jann Horn wrote:
> Package: libssl1.0.0
> Version: 1.0.1e-2+deb7u5
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Dear Maintainer,
> when I did "apt-get update&&apt-get upgrade" today to get a fix for CVE-2014-0160, I got this from apt:
> 
> Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u5) ...
> Setting up libssl-dev (1.0.1e-2+deb7u5) ...
> Setting up openssh-client (1:6.0p1-4+deb7u1) ...
> Setting up openssh-server (1:6.0p1-4+deb7u1) ...
> [ ok ] Restarting OpenBSD Secure Shell server: sshd.
> Setting up a2ps (1:4.14-1.1+deb7u1) ...
> Setting up libxalan2-java (2.7.1-7+deb7u1) ...
> Setting up openssl (1.0.1e-2+deb7u5) ...
> 
> It restarted OpenSSH... and only OpenSSH. I then ran this command:

openssh actually isn't affected, you also just got an update for
it that caused it to restart.  The openssl update did not have
anything to do with the update restarting of openssl.

> So, uh, looks like although the fixed library is on my system, all the interesting and
> maybe-affected services (like couchdb, stunnel, lighttpd, postfix, ...) are still
> vulnerable until I reboot my server, which is not exactly standard procedure after
> installing updates?

We have code that checks some of the applications that need to be
restarted, but it has a static list of packages to check and it's
outdated.  We're working on improving that list and providing an
other update that will restart those services.

In the mean that I suggest you reboot your system or use something
like checkrestart (from debian-goodies).



Kurt