While I was working on the editor's guide re advisories, it occurred to me that I don't see anywhere to put an explanation of what to do after upgrading OpenSSL so that nothing remains using the old version.
Obviously, on a single-user desktop you can just reboot, but on a server the only reason to reboot should be either a power outage or a kernel upgrade. For at least seven years I've had the following in my upgrade script for OpenSSL - I must have picked it up somewhere online, probably at https://silveiraneto.net/tag/linux/ - note that I install my upgrades as root, so I don't use sudo like his example. echo "now you need to find what is using the OLD version, and restart it:" && echo "grep -l -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps | tr -cd 0-9\\\n | xargs -r ps u" Note that the tr command only uses two backslashes before the \n, but echo swallows one. On a sysv desktop, that nowadays means killing Xorg, so that there is not a great benefit compared to rebooting. On my home server I have to run this, bounce various services (e.g. postgresql), then log out and log back in to rerun the command and check that nothing is now using the old lib. If you have multiple remote users, I guess you'll have to get them to log out. If the package was in BLFS I could put this in the wiki. In fact, there is an old openssl page there. But ideally I'd like to make the note accessible from LFS. Failing that, I suppose I could add it to the links for OpeSSL advisories in consolidated.html (in the same way that glibc and thunderbird get special treatment). Or do the sysadmins here have a better method for doing this ? ĸen "I'm not a sysadmin, not even on /." -- My inbox is kind of a modern-day Colossal Cave adventure: "You are in a maze of twisty email threads, all similar but with different hidden details". -- Linus -- http://lists.linuxfromscratch.org/listinfo/lfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
