Hi, I can confirm this behaviour. In addition I am quite sure that apache2 is affected because I have tested it with the heartbleed check (http://heartbleed.com) directly after the security update and it was still vulnerable. After I restarted apache2 manually the vulnerability was gone.
Regards, Felix > -----Ursprüngliche Nachricht----- > Von: Fredrik Jonson [mailto:fred...@jonson.org] > Gesendet: Dienstag, 08. April 2014 18:02 > An: debian-security@lists.debian.org > Betreff: DSA 2896-2 openssl - Apache 2 not detected as service to restart by > postinst? > > Hi, > > After upgrading the packages in DSA 2896-2 (openssl security update), the > second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted > that the postist script didn't suggest that I should restart apache2. > > As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and could > be affected by CVE-2014-0160. Correct? > > I note that the postinst script in libssl1.0.0 searches for the virtual > package > apache2-common which is not installed on my servers. > > Is this a bug in the postinst script, or is apache2 not affected, or is it a > user > error to not have the virtual package installed? > > BTW, thanks to all involved in Debian's rapid response to this CVE! > -- > Fredrik Jonson > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/slrnlk87b1.frm.fred...@biggles.jonson.org -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/710beceab6885242a9bcedd7a33f66483a15d...@vxc1.berlakovich.net
