Package: libssl1.0.0 Version: 1.0.1e-2+deb7u5 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, when I did "apt-get update&&apt-get upgrade" today to get a fix for CVE-2014-0160, I got this from apt: Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u5) ... Setting up libssl-dev (1.0.1e-2+deb7u5) ... Setting up openssh-client (1:6.0p1-4+deb7u1) ... Setting up openssh-server (1:6.0p1-4+deb7u1) ... [ ok ] Restarting OpenBSD Secure Shell server: sshd. Setting up a2ps (1:4.14-1.1+deb7u1) ... Setting up libxalan2-java (2.7.1-7+deb7u1) ... Setting up openssl (1.0.1e-2+deb7u5) ... It restarted OpenSSH... and only OpenSSH. I then ran this command: root@thejh:/home/jann# for pid in $(grep -F '/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)' /proc/*/maps | cut -d/ -f3 | sort -u); do cat /proc/$pid/cmdline | tr '\0' ' '; echo; done /usr/lib/erlang/erts-5.9.1/bin/beam -Bd -K true -A 4 -- -root /usr/lib/erlang -progname erl -- -home /var/lib/couchdb -- -noshell -noinput -os_mon start_memsup false start_cpu_sup false disk_space_check_interval 1 disk_almost_full_threshold 1 -sasl errlog_type error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart /usr/bin/couchjs /usr/share/couchdb/server/main.js /usr/bin/couchjs /usr/share/couchdb/server/main.js /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/stunnel4 /etc/stunnel/stunnel.conf /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start /usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s /usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf /usr/lib/postfix/master /usr/sbin/vsftpd /usr/bin/znc -d /etc/znc pickup -l -t fifo -u -c anvil -l -t unix -u -c smtpd -n smtp -t inet -u -c -o stress= -s 2 irssi /usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 --cd /etc/openvpn --config /etc/openvpn/tun0.conf qmgr -l -t fifo -u tlsmgr -l -t unix -u -c So, uh, looks like although the fixed library is on my system, all the interesting and maybe-affected services (like couchdb, stunnel, lighttpd, postfix, ...) are still vulnerable until I reboot my server, which is not exactly standard procedure after installing updates? -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38+deb7u1 ii multiarch-support 2.13-38+deb7u1 ii zlib1g 1:1.2.7.dfsg-13 libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information: libssl1.0.0/restart-failed: libssl1.0.0/restart-services: _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
