[ale] openssl related software question

James P. Kinney III jkinney at localnetsolutions.com
Tue Jul 30 21:09:57 EDT 2002


Calm down! When RedHat said "restart the server", they meant the
SERVICE, not the box. So, yes after you install the opennssl upgrades,
you WILL have to restart apache and friends. 

ldd on openssh will not show a dependency on openssl since ssh doesn't
depend use ssl. But it uses the crypto libs packaged with openssl. And
the secure pop and imap and stunnel also depend on openssl. 
So once openssl is updated, sshd, xinetd, apache will all need to be
restarted. 

The alternative is to use a M$ box that gets rebooted every week anyway
and doesn't have stable, tested encryption for good security  :)

Hmm. More thought on this process. There are quite a few systems that
use ssl (ldap, NFS v4, samba authentication, maybe others). Since the
libs in ssl are so pervasively used, RedHat may be correct by suggesting
a complete system reboot. This will guarantee that everything is using
the new ssl libs. Just sending a SIGHUP to every process will NOT cause
it to replace the running binary with an updated one. It will only reset
to its default start parameters in its startup configs. 

After the new openssl is installed, telinit to runlevel 1 then telinit
back to runlevel 3. That will stop and start all servers with out
changing uptime.

On Tue, 2002-07-30 at 19:50, jenn at colormaria.com wrote:
> With the openssl vuln disclosed today, I noticed that very few vendors were
> talking about all the other software that is potentially affected, and I'm
>  really notat all knowledgable about dynamically linked stuff.
> 
> I run openssh and apache + mod_ssl on some of my servers, and I don't
> compile them with anything specific to tell them where ssl lives.  Are they
> dynamically linked by default? How do I tell?  ldd /usr/local/bin/ssh doesn't
> show me anything about libssl.
> 
> What I'm getting at here is, do I need to recompile everything that uses
> openssl?  If not, how do I tell whether it's using the newer version or not?
> 
> Sorry if this is common knowledge or a stuipd question, I just don't see it
> mentioned anywhere in the bugtraq posts...and RedHat recommends that you
> restart your server after applying the patch!!!!!  Since when do you reboot a
> non-MS box after applying a patch!?
> 
> Thanks
> jenn
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list