> Message: 23 > Date: Tue, 8 Apr 2014 07:08:30 -0400 > From: Steven Tardy <sjt5atra at gmail.com> > Subject: Re: [CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed > workaround > To: CentOS mailing list <centos at centos.org> > Message-ID: > <CAG2k2x9udVEty0BRS+pEj0Hy3Mrt5N7NeCfZZC1r9qyv0M=rvA at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > On Tue, Apr 8, 2014 at 2:56 AM, Keith Keller < > kkeller at wombat.san-francisco.ca.us> wrote: > > > On 2014-04-08, Karanbir Singh <kbsingh at centos.org> wrote: > > > > > > Earlier in the day today, we were made aware of a serious > > > issue in openssl as shipped in CentOS-6.5 ( including updates issued > > > since CentOS-6.5 was released ); This issue is addressed in detail at > > > http://heartbleed.com/ > > > > is there an easy way to know which services need to be kicked? > > > > > rpm -q --whatrequires openssl > That should work, in theory. On one of my machines: # rpm -q --whatrequires openssl postfix-2.6.6-2.2.el6_1.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64 # Then try: # yum remove openssl 2>&1 | grep 'will be erased' | wc -l 421 # I use this (crude) script to find what processes have files open from an rpm: ---------------------------------------------------------------------- #! /bin/bash -p if [[ "$(whoami)" != "root" ]]; then echo "$0: must be root" >&2 exit 1 fi if [[ -z "$1" ]]; then echo "usage: $0 rpm..." >&2 exit 1 fi tmpfile=$(mktemp) || { echo "$0: couldn't create temporary file" >&2 exit 1 } trap "rm -f $tmpfile" EXIT for rpm in $*; do if ! rpm -q "$rpm" >/dev/null 2>&1; then echo "$0: no such rpm $1" >&2 exit 1 fi rpm -ql "$rpm" >> $tmpfile done fgrep -f $tmpfile /proc/*/maps | awk -F/ '{print $3}' | sort -u | while read pid; do echo "$(ls -l /proc/$pid/exe | awk '{print $NF}') ($pid) ($(tr '\0' ' ' < /proc/$pid/cmdline))" done | sort -u ---------------------------------------------------------------------- # ./processes-that-use-files-from-an-rpm openssl /usr/bin/python (13146) (/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x ) /usr/libexec/mysqld (1626) (/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock ) /usr/sbin/certmonger (1776) (/usr/sbin/certmonger -S -p /var/run/certmonger.pid ) /usr/sbin/httpd (1709) (/usr/sbin/httpd ) /usr/sbin/httpd (20152) (/usr/sbin/httpd ) /usr/sbin/httpd (20153) (/usr/sbin/httpd ) /usr/sbin/httpd (20154) (/usr/sbin/httpd ) /usr/sbin/httpd (20155) (/usr/sbin/httpd ) /usr/sbin/httpd (20156) (/usr/sbin/httpd ) /usr/sbin/httpd (20157) (/usr/sbin/httpd ) /usr/sbin/httpd (20158) (/usr/sbin/httpd ) /usr/sbin/httpd (20159) (/usr/sbin/httpd ) /usr/sbin/httpd (20160) (/usr/sbin/httpd ) /usr/sbin/ntpd (1484) (ntpd -u ntp:ntp -p /var/run/ntpd.pid -g ) /usr/sbin/sendmail.sendmail (1667) (sendmail: accepting connections) /usr/sbin/sendmail.sendmail (1678) (sendmail: Queue runner at 01:00:00 for /var/spool/clientmqueue) /usr/sbin/sshd (1456) (/usr/sbin/sshd ) /usr/sbin/sshd (28396) (sshd: root at pts/0 ) # And depending on this output I restart the services mentioned, or if there are to many, reboot the box :-) Regards, Peter van Hooft Philips Research