[BlueOnyx:15131] Re: OpenSSL (CenOS-6.5/SL-6.5) CVE-2014-0160

[Michael Stauber]

Hi Chris,

> While I'm not arguing, some of us really have an aversion to rebooting 
> production systems.   Therefore, I think the following can be cut & 
> pasted into a shell and achieve adequate results:
> 
> yum clean all
> yum -y update
> service httpd restart
> service admserv restart
> service sendmail restart
> service dovecot restart
> 
> 
> That should take care of everything, right?

Not entirely. It's missing the xinetd restart. Proftpd uses TLS/SSL as well.

> Maybe the service restarts can be added into our 
> own yum repo for 5107/5108R so that even those of
> us who are not very active on the list, but have
> the automatic updates enabled, should get the 
> benefit in the next day or so.

I'm torn on that, Chris. I'm very adverse to reboots, too. After
updating I just rebooted every VPS and master node that was running an
EL6 clone. Bye bye massive uptime, this time it's better to be safe than
sorry. I'm going even one step further. I'll change all my SSH keys as
well. On each and every box. They could have been leaked. And I'll get
new SSL certificates for a couple of the more critical sites. I might be
paranoid on this, but this time it's probably warranted.

As for adding a restart of services: That is a bit problematic in my
experience. The updates usually run when the logrotate runs as well. Not
always, but lots of people have it that way. Throwing in an Apache
restart at that time might not bring back Apache. So tomorrow the list
would be flooded with complains about why this or that service didn't
work "after last nights update".

-- 
With best regards

Michael Stauber