Re: Security implication of using force-reload instead of restart ?
On Sunday 09 January 2011, Nikita V. Youshchenko wrote:
> I've just noticed that on libapache2-mod-php5 package upgrade,
> apache server was not restartted (but only HUPed because of
> force-reload called from libapache2-mod-php5 postinst)
>
> Doesn't this mean that running apache has still old version of php
> module loaded, so it still is vulnerable to issues fixed in php
> update?
No. Apache unloads and reloads modules on a graceful restart, unless a
modules takes special measures to prevent that. You can check that
with lsof or checkrestart. But libapache2-mod-php5's behaviour is not
optimal for other reasons (see #589386).
> Is this a severity serious bug?
> Perhaps same situation exists with other package combinations as
> well?
Normally I recommend using restart in module packages. Maintainer of
module packages should check the behaviour of their module before
deviating from that.
Reply to: