AW: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Hi,
I can confirm this behaviour. In addition I am quite sure that apache2 is affected because I have tested it with the heartbleed check (http://heartbleed.com) directly after the security update and it was still vulnerable. After I restarted apache2 manually the vulnerability was gone.
Regards,
Felix
> -----Ursprüngliche Nachricht-----
> Von: Fredrik Jonson [mailto:fredrik@jonson.org]
> Gesendet: Dienstag, 08. April 2014 18:02
> An: debian-security@lists.debian.org
> Betreff: DSA 2896-2 openssl - Apache 2 not detected as service to restart by
> postinst?
>
> Hi,
>
> After upgrading the packages in DSA 2896-2 (openssl security update), the
> second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted
> that the postist script didn't suggest that I should restart apache2.
>
> As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and could
> be affected by CVE-2014-0160. Correct?
>
> I note that the postinst script in libssl1.0.0 searches for the virtual package
> apache2-common which is not installed on my servers.
>
> Is this a bug in the postinst script, or is apache2 not affected, or is it a user
> error to not have the virtual package installed?
>
> BTW, thanks to all involved in Debian's rapid response to this CVE!
> --
> Fredrik Jonson
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] slrnlk87b1.frm.fredrik@biggles.jonson.org">https://lists.debian.org/[🔎] slrnlk87b1.frm.fredrik@biggles.jonson.org
Reply to: