Hi Frederik, On Tue, Apr 08, 2014 at 04:01:37PM +0000, Fredrik Jonson wrote: > Hi, > > After upgrading the packages in DSA 2896-2 (openssl security update), > the second version, 1.0.1e-2+deb7u6, that detects services to restart, I > noted that the postist script didn't suggest that I should restart > apache2. > > As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and > could be affected by CVE-2014-0160. Correct? > > I note that the postinst script in libssl1.0.0 searches for the virtual > package apache2-common which is not installed on my servers. > > Is this a bug in the postinst script, or is apache2 not affected, or is > it a user error to not have the virtual package installed? > > BTW, thanks to all involved in Debian's rapid response to this CVE! Yes this is unfortunately a bug in that part of the libssl1.0.0 postinst! apache2 is also affected and should be restarted after the openssl update. Salvatore
Attachment:
signature.asc
Description: Digital signature