Re: Security implication of using force-reload instead of restart ?

To: debian-devel@lists.debian.org
Subject: Re: Security implication of using force-reload instead of restart ?
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sun, 9 Jan 2011 10:14:48 +0100
Message-id: <[🔎] 201101091014.49149.sf@sfritsch.de>
In-reply-to: <[🔎] 201101090952.30267@blacky.localdomain>
References: <[🔎] 201101090952.30267@blacky.localdomain>

On Sunday 09 January 2011, Nikita V. Youshchenko wrote:
> I've just noticed that on libapache2-mod-php5 package upgrade,
> apache server was not restartted (but only HUPed because of
> force-reload called from libapache2-mod-php5 postinst)
> 
> Doesn't this mean that running apache has still old version of php
> module loaded, so it still is vulnerable to issues fixed in php
> update?

No. Apache unloads and reloads modules on a graceful restart, unless a 
modules takes special measures to prevent that. You can check that 
with lsof or checkrestart. But libapache2-mod-php5's behaviour is not 
optimal for other reasons (see #589386).

> Is this a severity serious bug?
> Perhaps same situation exists with other package combinations as
> well?

Normally I recommend using restart in module packages. Maintainer of 
module packages should check the behaviour of their module before 
deviating from that.

Reply to:

Follow-Ups:
- Re: Security implication of using force-reload instead of restart ?
  - From: Olaf van der Spek <olafvdspek@gmail.com>

References:
- Security implication of using force-reload instead of restart ?
  - From: "Nikita V. Youshchenko" <yoush@debian.org>

Prev by Date: Re: Security implication of using force-reload instead of restart ?
Next by Date: Bug#609424: ITP: libapp-perlbrew-perl -- script to manage perl installations in your $HOME
Previous by thread: Re: Security implication of using force-reload instead of restart ?
Next by thread: Re: Security implication of using force-reload instead of restart ?
Index(es):
- Date
- Thread