I keep my machines all patched with the latest updates from
security.debian.org. But sometimes, a simple
apt-get update && apt-get dist-upgrade is not enough, particularly
when system libraries are being upgraded (e.g. the latest openssl
vulnerability, DSA 1173). In this situation, running processes could
have loaded copies of the old libraries, so they wouldn't get the
benefits of the old version. as DSA 1173 says:
Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers.
So after an upgrade, it's important to check that the affected services are really restarted. The best way i've found so far is to check what deleted files are currently being held open by any process. I use lsof to look at this:
root@serverX:~# lsof | grep 'path inode'apache2 9255 www-data mem REG 3,3 725883 /usr/lib/i686/cmov/libssl.so.0.9.7 (path inode=725841)apache2 9255 www-data mem REG 3,3 725770 /usr/lib/i686/cmov/libcrypto.so.0.9.7 (path inode=725839)root@serverX:~#
(note: i've excised some lines of the actual output for brevity)
I think the files that lsof lists with the (path inode=NNNN) designation
are files being held open by the system after having been removed or
replaced. So seeing the above output lets me know that i need to restart
apache2 on this particular server. Otherwise, apache2 is still
vulnerable to the openssl vulnerability, despite having the updated
version installed on the system.
Try running this on one of your own systems. You might be surprised at the services in want of an upgrade, especially if you tracked the latest r3 of sarge, with its glibc upgrade.
i'm not convinced that my lsof|grep filter is the best way to look up this information, but it seems to work for me. I'd be interested to know if other people have better ways to check on the same situation.