[Bug 1307190] Re: postinst script does not restart services
Jamie Strandboge
jamie at ubuntu.com
Thu Apr 17 18:36:53 UTC 2014
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1307190
Title:
postinst script does not restart services
Status in “openssl” package in Ubuntu:
New
Bug description:
I have updated openssl to 1.0.1e-3ubuntu1.2 (Ubuntu 13.10 here). This
update did not automatically restart services that were using the
previously installed version (apache2 in my case), because the
postinst script at /var/lib/dpkg/info/openssl.postinst does not do
that. In effect, these services were still affected by the security
vulnerabilities fixed in the update (among them in the latest update
the fix for CVE-2014-0160 "Heartbleed"). The services had to be
restarted manually, which in the case of a web server that gets its
updates automatically via unattended-upgrades can mean a potentially
dangerous delay.
Expected behavior is instead that the openssl postinst script restarts
all services that use the previous version. This is how it was handled
in openssl 0.9.8b-3 for example (as documented in issue #69239 , see
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/69239 ).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1307190/+subscriptions
More information about the foundations-bugs
mailing list