Secure testing commits - Aug 2005 - r1735 - data/DTSA

Author: joeyh
Date: 2005-08-30 13:27:58 +0000 (Tue, 30 Aug 2005)
New Revision: 1735

Modified:
   data/DTSA/DTSA-10-1
Log:
improve upgrade instructions


Modified: data/DTSA/DTSA-10-1
==================================================================---
data/DTSA/DTSA-10-1	2005-08-30 13:20:33 UTC (rev 1734)
+++ data/DTSA/DTSA-10-1	2005-08-30 13:27:58 UTC (rev 1735)
@@ -38,14 +38,17 @@
 The archive signing key can be downloaded from
 http://secure-testing.debian.net/ziyi-2005-7.asc
 
+Before installing the update, please note that you will need to restart all
+daemons that link with libpcre3 for the security fix to be used. Either
+reboot your machine after the upgrade, or make a list of processes that are
+using libpcre3, and restart them after the upgrade. To generate the list,
+run this command before you upgrade:
+
+lsof /usr/lib/libpcre.so.3
+
 To install the update, run this command as root:
 
 apt-get update && apt-get install libpcre3
 
-Note that after the upgrade, any daemons (exim, apache) that use libpcre3
-will remain running with the old vulnerable version. Either reboot your
-system after the upgrade or use the command "lsof
/usr/lib/libpcre.so.3" to
-list programs using libpcre3, and manually restart them.
-
 For further information about the Debian testing security team, please refer
 to http://secure-testing.debian.net/

Joey Hess wrote:
> +Before installing the update, please note that you will need to restart
all
Shouldn''t that be AFTER installing the update? I think this is intended
as ''read this before installing the update:'', but its also
easily read
as ''restart daemons before upgrading this lib''. Its restated
below, but
should still be fixed.
> +daemons that link with libpcre3 for the security fix to be used. Either
> +reboot your machine after the upgrade, or make a list of processes that
are
> +using libpcre3, and restart them after the upgrade. To generate the list,
> +run this command before you upgrade:
> +
> +lsof /usr/lib/libpcre.so.3
This is not guaranteed to work. In particular, a previous upgrade could
have left a daemon using an unlinked copy of the library.

Suggested re-wording:

After installing this upgrade you will need to restart all daemons that
link with libpcre for the security fix to take effect. Either reboot
your machine after the upgrade or restart the daemons by hand. You can
determine which daemons are affected via the checkrestart command (part
of the debian-goodies package) or by running, as root:
    lsof +L1 | grep libpcre.so.3

Joey Hess wrote:
> +Before installing the update, please note that you will need to restart
all
Shouldn''t that be AFTER installing the update? I think this is intended
as ''read this before installing the update:'', but its also
easily read
as ''restart daemons before upgrading this lib''. Its restated
below, but
should still be fixed.
> +daemons that link with libpcre3 for the security fix to be used. Either
> +reboot your machine after the upgrade, or make a list of processes that
are
> +using libpcre3, and restart them after the upgrade. To generate the list,
> +run this command before you upgrade:
> +
> +lsof /usr/lib/libpcre.so.3
This is not guaranteed to work. In particular, a previous upgrade could
have left a daemon using an unlinked copy of the library.

Suggested re-wording:

After installing this upgrade you will need to restart all daemons that
link with libpcre for the security fix to take effect. Either reboot
your machine after the upgrade or restart the daemons by hand. You can
determine which daemons are affected via the checkrestart command (part
of the debian-goodies package) or by running, as root:
    lsof +L1 | grep libpcre.so.3