Ubuntu
openssl package

postinst script does not restart services

Bug #1307190 reported by decimus on 2014-04-13

This bug report is a duplicate of: Bug #1971650: wrong check for "server" in libssl3.postinst. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	Triaged	Wishlist	Unassigned

Bug Description

I have updated openssl to 1.0.1e-3ubuntu1.2 (Ubuntu 13.10 here). This update did not automatically restart services that were using the previously installed version (apache2 in my case), because the postinst script at /var/lib/dpkg/info/openssl.postinst does not do that. In effect, these services were still affected by the security vulnerabilities fixed in the update (among them in the latest update the fix for CVE-2014-0160 "Heartbleed"). The services had to be restarted manually, which in the case of a web server that gets its updates automatically via unattended-upgrades can mean a potentially dangerous delay.

Expected behavior is instead that the openssl postinst script restarts all services that use the previous version. This is how it was handled in openssl 0.9.8b-3 for example (as documented in issue #69239 , see https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/69239 ).

Jamie Strandboge (jdstrand) on 2014-04-17

information type:

Private Security → Public Security

Marc Deslauriers (mdeslaur) on 2014-05-02

Changed in openssl (Ubuntu):
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Adrien Nader (adrien) wrote on 2023-05-11:

This is not strictly a duplicate of https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971650 since this one is now about switching to needrestart, but I believe it subsumes the current bug enough to mark it as duplicate of the newer one.