OpenSSL: add a note about upgrading.

2025-01-31 11:21:59 +00:00 · 2021-05-14 16:41:52 +01:00 · 2021-05-14 16:41:52 +01:00 · 6df63e484f
commit 6df63e484f
parent 7836185415
2 changed files with 36 additions and 0 deletions
--- a/chapter01/changelog.xml
+++ b/chapter01/changelog.xml
@ -42,6 +42,14 @@
    <listitem revision="sysv"> or <listitem revision="systemd"> as
    appropriate for the entry or if needed the entire day's listitem.
    -->
+    <listitem>
+      <para>2021-05-14</para>
+      <itemizedlist>
+        <listitem>
+          <para>[ken] - Add a Note about upgrading in OpenSSL.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>

    <listitem>
      <para>2021-05-12</para>
--- a/chapter08/openssl.xml
+++ b/chapter08/openssl.xml
@ -77,6 +77,34 @@ make MANSUFFIX=ssl install</userinput></screen>

 <screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>

+    <note>
+      <para>
+        You should update OpenSSL when a new version which fixes vulnerabilities
+        is announced. The releases run in series, with a letter for each release
+        after the initial release (e.g. 1.1.1, 1.1.1a, 1.1.1b, etc). Because LFS
+        installs only the shared libraries, there is no need to recompile packages
+        which link to <filename class="libraryfile">libcrypto.so</filename> or
+        <filename class="libraryfile">libssl.so</filename>
+        <emphasis>when upgrading in the same series.</emphasis>
+      </para>
+
+      <para>
+        However, any running programs linked to those libraries need to be stopped
+        and restarted. The following command, run as
+        <systemitem class="username">root</systemitem> after udating, will list what is
+        using the old versions of those libraries:
+      </para>
+
+<screen><userinput role="nodump">grep -l  -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps |
+   tr -cd 0-9\\n | xargs -r ps u</userinput></screen>
+
+      <para>
+        If you used <application>OpenSSH</application> to login to the system, you
+        need to logout, login again, and rerun that command to confirm nothing is
+        still using the deleted libraries.
+      </para>
+    </note>
+
  </sect2>

  <sect2 id="contents-openssl" role="content">