sshd & [USN-2459-1] OpenSSL vulnerabilities

Marius Gedminas marius at pov.lt
Wed Jan 14 07:31:05 UTC 2015 

On Tue, Jan 13, 2015 at 06:39:43AM -0600, William Scott Lockwood III wrote:
> On Jan 13, 2015 6:27 AM, "Vangelis Katsikaros" <ibob17 at yahoo.gr> wrote:
> > On 01/13/2015 02:06 PM, Colin Law wrote:
> >> On 13 January 2015 at 11:42, Vangelis Katsikaros <ibob17 at yahoo.gr> wrote:
> >>> Sorry in case the question is stupid :) Does the ssh service need
> >>> a restart after this update?
> >>
> >> An update to any service should normally restart it automatically.  If
> >> in doubt just restart it anyway.
> >
> > Thanks for the info. However:
> > - The update in this case is not for the service openssh-server (the
> >   service), it's for libssl, and from the output I don't see that it
> >   triggered any restarts.
> > - I know I can restart the service, but I don't want to do this without a
> >   reason to a 20+ VMs.
> 
> Yes, you need to restart. SSHD loads libssl into memory at launch.

I wondered about that, since

  $ ldd /usr/sbin/sshd | grep ssl
  (no output)

  $ sudo lsof -p $(pidof sshd) | grep ssl
  (no output)

but I see that openssh-server depends on libssl

  $ apt-cache show openssh-server|grep Depends
  Depends: ... libssl1.0.0 (>= 1.0.1), ...

and that libssl1.0.0 ships libcrypto.so.1.0.0, and 

  $ ldd /usr/sbin/sshd | grep libcrypto
  libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f7711c34000)ldd /usr/sbin/sshd | grep ssl

  $ sudo lsof -p $(pidof sshd) | grep libcrypto
  sshd    1529 root  DEL    REG    8,1          2362684 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0.dpkg-new

BTW the 'DEL' in lsof's output indicates an open but deleted
file.  (Older versions of lsof used to show it with '(deleted)' after
the filename.  I haven't noticed when exactly the output format changed.)

> Patching it doesn't reload the patched version. You are vulnerable
> until you restart.

Right.

When you upgrade a library, you can run `sudo lsof | grep DEL` (or, for
older Ubuntu versions, | grep deleted) to see which running processes
still link against the old version.  You can then restart just those
processes and avoid a reboot.  But a reboot is simpler and safer.

Marius Gedminas
-- 
Did you hear that the author of _Nitpicking for Dummies_ has just
received it back from the publisher with the 182nd set of editorial
markups?
		-- Bill Snyder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150114/315f333a/attachment.sig>

More information about the ubuntu-users mailing list