Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Stefan Eriksson
I've seen pound has this issue, sites which use pound as proxy need to restart pound manually, before that is done it doesnt use the newly installed openssl. 2014-04-09 09:51, Henrik Ahlgren skrev: On Tue, Apr 08, 2014 at 08:24:52PM +0200, Salvatore Bonaccorso wrote: Yes this is

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Rob van der Putten
Hi there Salvatore Bonaccorso wrote: Yes this is unfortunately a bug in that part of the libssl1.0.0 postinst! apache2 is also affected and should be restarted after the openssl update. AFAIK all services that use TLS + open-ssl are effected. I generated new keys for Apache, Asterisk, Exim

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Stephan Seitz
On Wed, Apr 09, 2014 at 10:51:42AM +0300, Henrik Ahlgren wrote: If new services will be added to the restart check list, I think both puppet and puppetmaster should be included, too. The service snmpd should be restarted as well. At least checkrestart says so. Shade and sweet water!

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Lupe Christoph
On Wednesday, 2014-04-09 at 12:42:16 +0200, Rob van der Putten wrote: AFAIK all services that use TLS + open-ssl are effected. I generated new keys for Apache, Asterisk, Exim and imap and restarted those services. According to a post on slashdot SSH is not effected. I don't know if this is

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread bsod
Am 2014-04-09 12:42, schrieb Rob van der Putten: According to a post on slashdot SSH is not effected. I don't know if this is correct. (Open-)SSH is not affected as it does not use openssl at all. Should be the same for other SSH daemons like dropbear as they are not using TLS in SSH

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Vladislav Kurz
On Wednesday 09 of April 2014 13:26:06 bsod wrote: Am 2014-04-09 12:42, schrieb Rob van der Putten: According to a post on slashdot SSH is not effected. I don't know if this is correct. (Open-)SSH is not affected as it does not use openssl at all. Should be the same for other SSH daemons

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Apollon Oikonomopoulos
On 13:26 Wed 09 Apr , bsod wrote: Am 2014-04-09 12:42, schrieb Rob van der Putten: According to a post on slashdot SSH is not effected. I don't know if this is correct. (Open-)SSH is not affected as it does not use openssl at all. Should be the same for other SSH daemons like dropbear

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Rob van der Putten
Hi there Vladislav Kurz wrote: So, why does openssh-server depend on libssl ? ldd /usr/sbin/sshd says it needs libcrypto.so, which is part of openssl? Maybe the question should be does SSH use a heartbeat? Regards, Rob -- To UNSUBSCRIBE, email to

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread bsod
Am 2014-04-09 13:38, schrieb Vladislav Kurz: So, why does openssh-server depend on libssl ? oh... my bad, searched for dependencies openssl instead of libssl. However, it still does not use TLS and is therefore not concerned by bugs in the heartbeat extension to it. Kind regards, Chris

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Jeremie Marguerie
Yes the private keys can be compromised, but the perfect secrecy should ensure that unless someone was doing an active MITM and had the private key, the communications were safe. On Wed, Apr 9, 2014 at 3:06 PM, Artikel-140 i...@artikel-140.nl wrote: Hi, If Perfect Forward Secrecy is enabled,

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-09 Thread Bernhard R. Link
* Jeremie Marguerie jere...@marguerie.org [140409 15:28]: Yes the private keys can be compromised, but the perfect secrecy should ensure that unless someone was doing an active MITM and had the private key, the communications were safe. As the communication was part of the data transported

DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-08 Thread Fredrik Jonson
Hi, After upgrading the packages in DSA 2896-2 (openssl security update), the second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted that the postist script didn't suggest that I should restart apache2. As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and

AW: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-08 Thread Felix Berlakovich
Hi, I can confirm this behaviour. In addition I am quite sure that apache2 is affected because I have tested it with the heartbleed check (http://heartbleed.com) directly after the security update and it was still vulnerable. After I restarted apache2 manually the vulnerability was gone.

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

2014-04-08 Thread Salvatore Bonaccorso
Hi Frederik, On Tue, Apr 08, 2014 at 04:01:37PM +, Fredrik Jonson wrote: Hi, After upgrading the packages in DSA 2896-2 (openssl security update), the second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted that the postist script didn't suggest that I should restart