Message: 23 Date: Tue, 8 Apr 2014 07:08:30 -0400 From: Steven Tardy sjt5atra@gmail.com Subject: Re: [CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround To: CentOS mailing list centos@centos.org Message-ID: CAG2k2x9udVEty0BRS+pEj0Hy3Mrt5N7NeCfZZC1r9qyv0M=rvA@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
On Tue, Apr 8, 2014 at 2:56 AM, Keith Keller < kkeller@wombat.san-francisco.ca.us> wrote:
On 2014-04-08, Karanbir Singh kbsingh@centos.org wrote:
Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/
is there an easy way to know which services need to be kicked?
rpm -q --whatrequires openssl
That should work, in theory.
On one of my machines: # rpm -q --whatrequires openssl postfix-2.6.6-2.2.el6_1.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64 # Then try: # yum remove openssl 2>&1 | grep 'will be erased' | wc -l 421 #
I use this (crude) script to find what processes have files open from an rpm:
---------------------------------------------------------------------- #! /bin/bash -p
if [[ "$(whoami)" != "root" ]]; then echo "$0: must be root" >&2 exit 1 fi if [[ -z "$1" ]]; then echo "usage: $0 rpm..." >&2 exit 1 fi tmpfile=$(mktemp) || { echo "$0: couldn't create temporary file" >&2 exit 1 } trap "rm -f $tmpfile" EXIT for rpm in $*; do if ! rpm -q "$rpm" >/dev/null 2>&1; then echo "$0: no such rpm $1" >&2 exit 1 fi rpm -ql "$rpm" >> $tmpfile done fgrep -f $tmpfile /proc/*/maps | awk -F/ '{print $3}' | sort -u | while read pid; do echo "$(ls -l /proc/$pid/exe | awk '{print $NF}') ($pid) ($(tr '\0' ' ' < /proc/$pid/cmdline))" done | sort -u ---------------------------------------------------------------------- # ./processes-that-use-files-from-an-rpm openssl /usr/bin/python (13146) (/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x ) /usr/libexec/mysqld (1626) (/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock ) /usr/sbin/certmonger (1776) (/usr/sbin/certmonger -S -p /var/run/certmonger.pid ) /usr/sbin/httpd (1709) (/usr/sbin/httpd ) /usr/sbin/httpd (20152) (/usr/sbin/httpd ) /usr/sbin/httpd (20153) (/usr/sbin/httpd ) /usr/sbin/httpd (20154) (/usr/sbin/httpd ) /usr/sbin/httpd (20155) (/usr/sbin/httpd ) /usr/sbin/httpd (20156) (/usr/sbin/httpd ) /usr/sbin/httpd (20157) (/usr/sbin/httpd ) /usr/sbin/httpd (20158) (/usr/sbin/httpd ) /usr/sbin/httpd (20159) (/usr/sbin/httpd ) /usr/sbin/httpd (20160) (/usr/sbin/httpd ) /usr/sbin/ntpd (1484) (ntpd -u ntp:ntp -p /var/run/ntpd.pid -g ) /usr/sbin/sendmail.sendmail (1667) (sendmail: accepting connections) /usr/sbin/sendmail.sendmail (1678) (sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue) /usr/sbin/sshd (1456) (/usr/sbin/sshd ) /usr/sbin/sshd (28396) (sshd: root@pts/0 ) #
And depending on this output I restart the services mentioned, or if there are to many, reboot the box :-)
Regards,
Peter van Hooft Philips Research