OpenSSL: add a note about upgrading.

1 files changed, 28 insertions, 0 deletions

diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml
index 934d5bd83..b96c355f7 100644
--- a/chapter08/openssl.xml
+++ b/chapter08/openssl.xml
@@ -77,6 +77,34 @@ make MANSUFFIX=ssl install</userinput></screen>
 
 <screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
 
+    <note>
+      <para>
+        You should update OpenSSL when a new version which fixes vulnerabilities
+        is announced. The releases run in series, with a letter for each release
+        after the initial release (e.g. 1.1.1, 1.1.1a, 1.1.1b, etc). Because LFS
+        installs only the shared libraries, there is no need to recompile packages
+        which link to <filename class="libraryfile">libcrypto.so</filename> or
+        <filename class="libraryfile">libssl.so</filename>
+        <emphasis>when upgrading in the same series.</emphasis>
+      </para>
+
+      <para>
+        However, any running programs linked to those libraries need to be stopped
+        and restarted. The following command, run as
+        <systemitem class="username">root</systemitem> after udating, will list what is
+        using the old versions of those libraries:
+      </para>
+
+<screen><userinput role="nodump">grep -l  -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps |
+   tr -cd 0-9\\n | xargs -r ps u</userinput></screen>
+
+      <para>
+        If you used <application>OpenSSH</application> to login to the system, you
+        need to logout, login again, and rerun that command to confirm nothing is
+        still using the deleted libraries.
+      </para>
+    </note>
+
   </sect2>
 
   <sect2 id="contents-openssl" role="content">