diff --git a/chapter01/changelog.xml b/chapter01/changelog.xml index 87525b31b..23e8dbe6d 100644 --- a/chapter01/changelog.xml +++ b/chapter01/changelog.xml @@ -44,6 +44,14 @@ or as appropriate for the entry or if needed the entire day's listitem. --> + + 2021-05-14 + + + [ken] - Add a Note about upgrading in OpenSSL. + + + 2021-05-12 diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml index 7b859b15f..687813ea6 100644 --- a/chapter08/openssl.xml +++ b/chapter08/openssl.xml @@ -77,6 +77,34 @@ make MANSUFFIX=ssl install cp -vfr doc/* /usr/share/doc/openssl-&openssl-version; + + + You should update OpenSSL when a new version which fixes vulnerabilities + is announced. The releases run in series, with a letter for each release + after the initial release (e.g. 1.1.1, 1.1.1a, 1.1.1b, etc). Because LFS + installs only the shared libraries, there is no need to recompile packages + which link to libcrypto.so or + libssl.so + when upgrading in the same series. + + + + However, any running programs linked to those libraries need to be stopped + and restarted. The following command, run as + root after udating, will list what is + using the old versions of those libraries: + + +grep -l -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps | + tr -cd 0-9\\n | xargs -r ps u + + + If you used OpenSSH to login to the system, you + need to logout, login again, and rerun that command to confirm nothing is + still using the deleted libraries. + + +