Dear Experts,

I have a Debian 11 system running Apache and unattended-upgrades.

I received the DSA 5343-1 email advertising the new openssl
package, 1.1.1n-0+deb11u4. Unattended-upgrades had installed this
before I even read the email - great.

But Apache has not been restarted, and it seems to be running
with the old libssl still:

# grep ssl /proc/661/maps
7fcb5bd97000-7fcb5bdb4000 r--p 00000000 ca:02 265814 /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (deleted)

Obviously the security issues are not closed until Apache (and
any other daemon linked with openssl) restart, and that may not
happen for a long time! This is not the first time I have seen
something like this happen.

Whose responsibility is this? Should the Apache package somehow
know that it needs to restart itself? Should the libssl package
do something to cause Apache to restart? Should the unattended-
upgrades package know to restart Apache when libssl has been
upgraded?

I know there is a mechanism of some kind to cause daemons to
restart when libraries they use are being replaced; is that just
for libc updates, or something?


Thanks,

Phil.


P.S. If you Cc: me in your reply, I'll see it sooner.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 2023-02-08 at 14:01 +0000, Phil Endecott wrote:

Whose responsibility is this? Should the Apache package somehow
know that it needs to restart itself? Should the libssl package
do something to cause Apache to restart? Should the unattended-
upgrades package know to restart Apache when libssl has been
upgraded?

I know there is a mechanism of some kind to cause daemons to
restart when libraries they use are being replaced; is that just
for libc updates, or something?

Have a look into the needrestart package, which is suggested, but not
required, by unattended-upgrades.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Would that not be the responsibility of the systemd bit for Apache (if
using systemd)?
That said, I am not sure systemd does a great job of restarting a service. Might require tailoring on the particular server.


https://ma.ttias.be/auto-restart-crashed-service-systemd/

On Wed, 2023-02-08 at 14:01 +0000, Phil Endecott wrote:

Whose responsibility is this? Should the Apache package somehow
know that it needs to restart itself? Should the libssl package
do something to cause Apache to restart? Should the unattended-
upgrades package know to restart Apache when libssl has been
upgraded?

I know there is a mechanism of some kind to cause daemons to
restart when libraries they use are being replaced; is that just
for libc updates, or something?

Have a look into the needrestart package, which is suggested, but not required, by unattended-upgrades.

--
@ITS
Craig M. Houck ><>
Binghamton University - ITS:Systems
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Would that not be the responsibility of the systemd bit for Apache
(if using systemd)?<br>
That said, I am not sure systemd does a great job of restarting a
service.<br>
Might require tailoring on the particular server.<br>
<br>
<br>
<a class="moz-txt-link-freetext" href="https://ma.ttias.be/auto-restart-crashed-service-systemd/">https://ma.ttias.be/auto-restart-crashed-service-systemd/</a><br>
<blockquote type="cite"
cite="mid:3bbccc5de849e75d453024efc2c2bd1b27871bd2.camel@seestieto.com">
<pre class="moz-quote-pre" wrap="">On Wed, 2023-02-08 at 14:01 +0000, Phil Endecott wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Whose responsibility is this? Should the Apache package somehow
know that it needs to restart itself? Should the libssl package
do something to cause Apache to restart? Should the unattended-
upgrades package know to restart Apache when libssl has been
upgraded?

I know there is a mechanism of some kind to cause daemons to
restart when libraries they use are being replaced; is that just
for libc updates, or something?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Have a look into the needrestart package, which is suggested, but not
required, by unattended-upgrades.


</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<font size="&lt;-1&quot;">@ITS<font><br>
Craig M. Houck &gt;&lt;&gt;<br>
Binghamton University - ITS:Systems<br>
<!-- <br>
<code>Patriotism is supporting your country all the time,<br>
and your government when it deserves it.</code><br>
<i>Mark Twain</i> --></font></font></div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Henrik Ahlgren wrote:

On Wed, 2023-02-08 at 14:01 +0000, Phil Endecott wrote:

Whose responsibility is this? Should the Apache package somehow
know that it needs to restart itself? Should the libssl package
do something to cause Apache to restart? Should the unattended-
upgrades package know to restart Apache when libssl has been
upgraded?

I know there is a mechanism of some kind to cause daemons to
restart when libraries they use are being replaced; is that just
for libc updates, or something?

Have a look into the needrestart package, which is suggested, but not required, by unattended-upgrades.

Thanks for the suggestion - yes, this does seem to be what I need.

I may file a bug suggesting that this is installed (and enabled)
by default, in particular for the Debian cloud images which have
had unattended-upgrades installed for longer than other systems.
Fundamentally I think that unattended-upgrades without restarting
daemons is just giving a false sense of security. Thoughts anyone?


Regards, Phil.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)