Hi everybody. Consider the following scenario: You have installed and actively use package X. Suppose an exploit is discovered for that package. SuSE provides a fix, and as a good admin you get the new RPM and install the fix. You do this with YaST1, so SuSEconfig is automatically run after installing. According to YaST, the fix is installed. SuSEconfig ran OK. So everything seems like that you succesfully updated. But: suppose the package was running when you updated? The running copy, is that (after SuSEconfig did its work) the old vulnerable version, or the new patched version? I suppose it's different for each kind of program. Something that's spawned by inetd and only runs for a short time gets updated rapidly: the executable is replaced by the package update and the next time it's spawned by inetd the new executable gets run. On the other end of the spectrum you have the kernel update: after installing the RPM from YaST (and SuSEconfig), you need to reboot, of course. But how is it with the packages in between? For example, the recent libc update? When does that update take effect? I didn't take any chances and rebooted the machine, but was this necessary? And suppose a proftpd running in daemon mode? After installing a patch, is the running daemon automatically restarted by YaST or SuSEconfig, or is that the admin's work? I'd really like some info on this. I always stayed on the safe side and restarted things (or even rebooted with a kernel- or libc-update) manually. But there's nothing in YaST or SuSEconfig that says to reboot or restart a package! So even though you installed that (for example) proftpd patch, an old, vulnerable proftpd is still running, even though YaST and SuSEconfig say the package is successfully updated. In other words: you're still vulnerable, perhaps without realizing it. Could anybody provide some input on this? When is it necessary to restart a package, or drop to single user mode, or even reboot? Of course, on production servers you'd like to keep downtime to a minimum, so a simple restart of (e.g) proftpd is far more preferable to a complete reboot. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-
Jurgen, The short answer is you shouldn't have to know. Every security alert should give complete instructions including any necessary actions after the software is patched. But unfortunately this doesn't always happen. I hate to criticise Roman because he is doing a fantastic job churning out all these fixes, but on occasions the instructions aren't as clear as they might be. Maybe SuSE should get a documentation person to review the alerts before they go out. The ideal should be that the alerts are clear to someone who has just bought Linux and doesn't have previous system admin experience. Ambitious, but it ought to be possible. Regards, Bob On Sat, 14 Oct 2000, Jurjen Oskam wrote:
Hi everybody.
Consider the following scenario:
You have installed and actively use package X. Suppose an exploit is discovered for that package. SuSE provides a fix, and as a good admin you get the new RPM and install the fix. You do this with YaST1, so SuSEconfig is automatically run after installing.
According to YaST, the fix is installed. SuSEconfig ran OK. So everything seems like that you succesfully updated.
But: suppose the package was running when you updated? The running copy, is that (after SuSEconfig did its work) the old vulnerable version, or the new patched version?
....
============================================================== Bob Vickers R.Vickers@dcs.rhbnc.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhbnc.ac.uk/home/bobv Phone: +44 1784 443691
On Mon, 16 Oct 2000 15:10:14 +0100 (BST), Bob Vickers
Jurgen, ^ It's not like you heard it wrong or something.. :-)
The short answer is you shouldn't have to know. Every security alert should give complete instructions including any necessary actions after the software is patched.
OK, that's fine then, for the people that read - and REMEMBER - those messages. Suppose I buy SuSE 7.0 in a few weeks time. By then I'll have quite a few announcements to read. When YaST says that everything went fine and everything is updated, people might (wrongly) believe that everything is OK now. I like the feature that some updates send a report to root. Maybe every package should do that: send a mail containing instruction how to be sure you're RUNNING the patched version, instead of merely having the patched file on disk. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-
participants (2)
-
Bob Vickers
-
Jurjen Oskam