sshd & [USN-2459-1] OpenSSL vulnerabilities
marius at pov.lt
Wed Jan 14 07:31:05 UTC 2015
On Tue, Jan 13, 2015 at 06:39:43AM -0600, William Scott Lockwood III wrote:
> On Jan 13, 2015 6:27 AM, "Vangelis Katsikaros" <ibob17 at yahoo.gr> wrote:
> > On 01/13/2015 02:06 PM, Colin Law wrote:
> >> On 13 January 2015 at 11:42, Vangelis Katsikaros <ibob17 at yahoo.gr> wrote:
> >>> Sorry in case the question is stupid :) Does the ssh service need
> >>> a restart after this update?
> >> An update to any service should normally restart it automatically. If
> >> in doubt just restart it anyway.
> > Thanks for the info. However:
> > - The update in this case is not for the service openssh-server (the
> > service), it's for libssl, and from the output I don't see that it
> > triggered any restarts.
> > - I know I can restart the service, but I don't want to do this without a
> > reason to a 20+ VMs.
> Yes, you need to restart. SSHD loads libssl into memory at launch.
I wondered about that, since
$ ldd /usr/sbin/sshd | grep ssl
$ sudo lsof -p $(pidof sshd) | grep ssl
but I see that openssh-server depends on libssl
$ apt-cache show openssh-server|grep Depends
Depends: ... libssl1.0.0 (>= 1.0.1), ...
and that libssl1.0.0 ships libcrypto.so.1.0.0, and
$ ldd /usr/sbin/sshd | grep libcrypto
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f7711c34000)ldd /usr/sbin/sshd | grep ssl
$ sudo lsof -p $(pidof sshd) | grep libcrypto
sshd 1529 root DEL REG 8,1 2362684 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0.dpkg-new
BTW the 'DEL' in lsof's output indicates an open but deleted
file. (Older versions of lsof used to show it with '(deleted)' after
the filename. I haven't noticed when exactly the output format changed.)
> Patching it doesn't reload the patched version. You are vulnerable
> until you restart.
When you upgrade a library, you can run `sudo lsof | grep DEL` (or, for
older Ubuntu versions, | grep deleted) to see which running processes
still link against the old version. You can then restart just those
processes and avoid a reboot. But a reboot is simpler and safer.
Did you hear that the author of _Nitpicking for Dummies_ has just
received it back from the publisher with the 182nd set of editorial
-- Bill Snyder
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 190 bytes
Desc: Digital signature
More information about the ubuntu-users