[Secure-testing-team] Bug#743889: libssl1.0.0: libssl update does not cause applications that use it to restart

Jann Horn jannpub at thejh.net
Mon Apr 7 23:12:34 UTC 2014 

Package: libssl1.0.0
Version: 1.0.1e-2+deb7u5
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,
when I did "apt-get update&&apt-get upgrade" today to get a fix for CVE-2014-0160, I got this from apt:

Setting up libssl1.0.0:amd64 (1.0.1e-2+deb7u5) ...
Setting up libssl-dev (1.0.1e-2+deb7u5) ...
Setting up openssh-client (1:6.0p1-4+deb7u1) ...
Setting up openssh-server (1:6.0p1-4+deb7u1) ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
Setting up a2ps (1:4.14-1.1+deb7u1) ...
Setting up libxalan2-java (2.7.1-7+deb7u1) ...
Setting up openssl (1.0.1e-2+deb7u5) ...

It restarted OpenSSH... and only OpenSSH. I then ran this command:

root at thejh:/home/jann# for pid in $(grep -F '/usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)' /proc/*/maps | cut -d/ -f3 | sort -u); do cat /proc/$pid/cmdline | tr '\0' ' '; echo; done
/usr/lib/erlang/erts-5.9.1/bin/beam -Bd -K true -A 4 -- -root /usr/lib/erlang -progname erl -- -home /var/lib/couchdb -- -noshell -noinput -os_mon start_memsup false start_cpu_sup false disk_space_check_interval 1 disk_almost_full_threshold 1 -sasl errlog_type error -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart 
/usr/bin/couchjs /usr/share/couchdb/server/main.js 
/usr/bin/couchjs /usr/share/couchdb/server/main.js 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/stunnel4 /etc/stunnel/stunnel.conf 
/usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s 
/usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf 
/usr/lib/postfix/master 
/usr/sbin/vsftpd 
/usr/bin/znc -d /etc/znc 
pickup -l -t fifo -u -c 
anvil -l -t unix -u -c 
smtpd -n smtp -t inet -u -c -o stress= -s 2 
irssi 
/usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 --cd /etc/openvpn --config /etc/openvpn/tun0.conf 
qmgr -l -t fifo -u 
tlsmgr -l -t unix -u -c

So, uh, looks like although the fixed library is on my system, all the interesting and
maybe-affected services (like couchdb, stunnel, lighttpd, postfix, ...) are still
vulnerable until I reboot my server, which is not exactly standard procedure after
installing updates?

-- System Information:
Debian Release: 7.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u1
ii  multiarch-support      2.13-38+deb7u1
ii  zlib1g                 1:1.2.7.dfsg-13

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information:
  libssl1.0.0/restart-failed:
  libssl1.0.0/restart-services:

More information about the Secure-testing-team mailing list