[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security implication of using force-reload instead of restart ?

On Sunday 09 January 2011, Nikita V. Youshchenko wrote:
> I've just noticed that on libapache2-mod-php5 package upgrade,
> apache server was not restartted (but only HUPed because of
> force-reload called from libapache2-mod-php5 postinst)
> Doesn't this mean that running apache has still old version of php
> module loaded, so it still is vulnerable to issues fixed in php
> update?

No. Apache unloads and reloads modules on a graceful restart, unless a 
modules takes special measures to prevent that. You can check that 
with lsof or checkrestart. But libapache2-mod-php5's behaviour is not 
optimal for other reasons (see #589386).

> Is this a severity serious bug?
> Perhaps same situation exists with other package combinations as
> well?

Normally I recommend using restart in module packages. Maintainer of 
module packages should check the behaviour of their module before 
deviating from that.

Reply to: