Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Restarting after a security update...?

  1. #1
    vdboor NNTP User

    Cool Restarting after a security update...?

    I've always learned there isn't a need to restart a Linux system when a security update is done, only the relevant services.

    Today I received an update to glib (CVE-2008-4316). Which things do I need to restart?

    Since zypper doesn't mention anything about this, my guess is most people just apply the patch and go on (keeping the vulnerable library versions in memory?)

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Restarting after a security update...?

    Any process that uses glib. You can get a process list by

    Code:
    lsof | grep -w libglib

  3. #3
    vdboor NNTP User

    Lightbulb Re: Restarting after a security update...?

    Thanks that seams to be what I'm looking for.

    On a related note, I think it would be cool if zypper automatically mentioned which apps need a restart..

  4. #4
    Join Date
    Sep 2008
    Location
    Dubai
    Posts
    1,770

    Default Re: Restarting after a security update...?

    zypper or any other program can not accurately determine that. A security update may be just updating a configuration file that may have been already read in by a running program to create some vulnerable memory structure.

    I think, yast advises you to re-boot only when kernel or any loaded driver is updated.
    openSUSE 12.3 (x86_64) with Kernel 3.7.10-1.16-desktop and KDE 4.11.2 on MacBook Pro
    Latest MS Windows version used: Win95

  5. #5
    vdboor NNTP User

    Default Re: Restarting after a security update...?

    Quote Originally Posted by syampillai View Post
    zypper or any other program can not accurately determine that. A security update may be just updating a configuration file that may have been already read in by a running program to create some vulnerable memory structure.
    I'd say something is better then nothing... Users are now left in the dark believing that running the update applet fixed their security problems...

    I think, yast advises you to re-boot only when kernel or any loaded driver is updated.
    Correct. and for a good reason: if you plugin a new device, the kernel can't find the old modules anymore in /lib/modules/...

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Restarting after a security update...?

    If an update changes the kernel, the user is notified to restart.

    If an update changes a service, that service is restarted, This may however leave running instances of the service still using the old code. But it's not a good idea to kill those automatically. Imagine an update killing your ssh session from a remote location.

    If an update changes a dynamic library, apps that are still using the old library will continue to link to the old, deleted library. Again, it's not desirable to kill those automatically, it may be too disruptive.

    If an update changes an app, then running instances may be affected. E.g. the last Firefox update made the running browser window unusable because xulrunner changed.

    So there is still a window of vulnerability. But certainly it's better than before the update. It's a tradeoff between security and disruptiveness. Restarting after every update should cover the situation, but that is too drastic. That's is why some updates have a message for the user. In the case of glib, this was a widely used library so the user was asked to exercise some judgement.

    Most desktop users will be shutting down after the current session. Server admins are supposed to have enough brains to decide what to do.

    Perhaps some day someone will write a program to scan the processes and loaded dynamic libraries and suggest to the user what to do. This could be put in the post-install action of the package. Might make a nice software project for somebody.

  7. #7

    Default Re: Restarting after a security update...?

    hehe what about suspend/hibernate.

    Correct me if I'm wrong but doesn't the above reinstate the old libs and apps? If so I wonder how many people are oblivious to that.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Restarting after a security update...?

    I think your computer has got to be alive to receive an update and as far as I know there is only one suspended image, the last one, which is deactivated when the resume is successful.

  9. #9

    Default Re: Restarting after a security update...?

    I realised it had to be live to update.

    What I was asking/presuming doesn't it keep the old libs, in the image? So without the reboot it won't use the new libs/apps any way. i.e you resume the old image without the updates as such

    More a question than a know, I'm still way to hazy about this resume suspend stuff.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  10. #10
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Restarting after a security update...?

    Well a resume isn't a time machine. You wouldn't want to be transported back to a state where your edits are backed out. It just does what it says, it resumes things from the point of the suspend. The suspend takes a snapshot at the point you hit the sleep button. When you resume, the flag is cleared and the image cannot be used to resume again, preventing you from being transported back in time. The resume partition is usually the swap partition so it might be overwritten with use anyway.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •