sshd & [USN-2459-1] OpenSSL vulnerabilities

iceblink iceblink at seti.nl
Tue Jan 13 12:48:37 UTC 2015


On 2015-01-13 13:39, William Scott Lockwood III wrote:
> On Jan 13, 2015 6:27 AM, "Vangelis Katsikaros" <ibob17 at yahoo.gr>
> wrote:
>  >
>  > Hi
>  >
>  >
>  > On 01/13/2015 02:06 PM, Colin Law wrote:
>  >>
>  >> On 13 January 2015 at 11:42, Vangelis Katsikaros <ibob17 at yahoo.gr>
> wrote:
>  >>>
>  >>> Hi
>  >>>
>  >>> Sorry in case the question is stupid :) Does the ssh service need
> a restart
>  >>> after this update?
>  >>
>  >>
>  >> An update to any service should normally restart it automatically.
>  If
>  >> in doubt just restart it anyway.
>  >
>  >
>  > Thanks for the info. However:
>  > - The update in this case is not for the service openssh-server
> (the service), it's for libssl, and from the output I don't see that
> it triggered any restarts.
>  > - I know I can restart the service, but I don't want to do this
> without a reason to a 20+ VMs.
>  >
>  > Regards
>  > Vangelis
> 
> Yes, you need to restart. SSHD loads libssl into memory at launch.
> Patching it doesn't reload the patched version. You are vulnerable
> until you restart.

According to the openssh documentation, sshd spawns child processes for 
connections, meaning that no connections will be lost when sshd is 
restarted.

But do this at your own risk, I haven't tried this myself.

(How important is it to fix these issues right this minute, versus how 
bad are the consequences when connections are lost? )

Best regards,
Patrick




More information about the ubuntu-users mailing list