Hi everybody. Consider the following scenario: You have installed and actively use package X. Suppose an exploit is discovered for that package. SuSE provides a fix, and as a good admin you get the new RPM and install the fix. You do this with YaST1, so SuSEconfig is automatically run after installing. According to YaST, the fix is installed. SuSEconfig ran OK. So everything seems like that you succesfully updated. But: suppose the package was running when you updated? The running copy, is that (after SuSEconfig did its work) the old vulnerable version, or the new patched version? I suppose it's different for each kind of program. Something that's spawned by inetd and only runs for a short time gets updated rapidly: the executable is replaced by the package update and the next time it's spawned by inetd the new executable gets run. On the other end of the spectrum you have the kernel update: after installing the RPM from YaST (and SuSEconfig), you need to reboot, of course. But how is it with the packages in between? For example, the recent libc update? When does that update take effect? I didn't take any chances and rebooted the machine, but was this necessary? And suppose a proftpd running in daemon mode? After installing a patch, is the running daemon automatically restarted by YaST or SuSEconfig, or is that the admin's work? I'd really like some info on this. I always stayed on the safe side and restarted things (or even rebooted with a kernel- or libc-update) manually. But there's nothing in YaST or SuSEconfig that says to reboot or restart a package! So even though you installed that (for example) proftpd patch, an old, vulnerable proftpd is still running, even though YaST and SuSEconfig say the package is successfully updated. In other words: you're still vulnerable, perhaps without realizing it. Could anybody provide some input on this? When is it necessary to restart a package, or drop to single user mode, or even reboot? Of course, on production servers you'd like to keep downtime to a minimum, so a simple restart of (e.g) proftpd is far more preferable to a complete reboot. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-