On Tue, Apr 08, 2014 at 01:12:34AM +0200, Jann Horn wrote: > Package: libssl1.0.0 > Version: 1.0.1e-2+deb7u5 > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > when I did "apt-get update&&apt-get upgrade" today to get a fix for > CVE-2014-0160, I got this from apt: > > Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u5) ... > Setting up libssl-dev (1.0.1e-2+deb7u5) ... > Setting up openssh-client (1:6.0p1-4+deb7u1) ... > Setting up openssh-server (1:6.0p1-4+deb7u1) ... > [ ok ] Restarting OpenBSD Secure Shell server: sshd. > Setting up a2ps (1:4.14-1.1+deb7u1) ... > Setting up libxalan2-java (2.7.1-7+deb7u1) ... > Setting up openssl (1.0.1e-2+deb7u5) ... > > It restarted OpenSSH... and only OpenSSH. I then ran this command:
openssh actually isn't affected, you also just got an update for it that caused it to restart. The openssl update did not have anything to do with the update restarting of openssl. > So, uh, looks like although the fixed library is on my system, all the > interesting and > maybe-affected services (like couchdb, stunnel, lighttpd, postfix, ...) are > still > vulnerable until I reboot my server, which is not exactly standard procedure > after > installing updates? We have code that checks some of the applications that need to be restarted, but it has a static list of packages to check and it's outdated. We're working on improving that list and providing an other update that will restart those services. In the mean that I suggest you reboot your system or use something like checkrestart (from debian-goodies). Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
