diff options
| -rw-r--r-- | chapter01/changelog.xml | 8 | ||||
| -rw-r--r-- | chapter08/openssl.xml | 28 |
2 files changed, 36 insertions, 0 deletions
diff --git a/chapter01/changelog.xml b/chapter01/changelog.xml index 4cf1252c9..614731b11 100644 --- a/chapter01/changelog.xml +++ b/chapter01/changelog.xml @@ -42,6 +42,14 @@ <listitem revision="sysv"> or <listitem revision="systemd"> as appropriate for the entry or if needed the entire day's listitem. --> + <listitem> + <para>2021-05-14</para> + <itemizedlist> + <listitem> + <para>[ken] - Add a Note about upgrading in OpenSSL.</para> + </listitem> + </itemizedlist> + </listitem> <listitem> <para>2021-05-12</para> diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml index 934d5bd83..b96c355f7 100644 --- a/chapter08/openssl.xml +++ b/chapter08/openssl.xml @@ -77,6 +77,34 @@ make MANSUFFIX=ssl install</userinput></screen> <screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen> + <note> + <para> + You should update OpenSSL when a new version which fixes vulnerabilities + is announced. The releases run in series, with a letter for each release + after the initial release (e.g. 1.1.1, 1.1.1a, 1.1.1b, etc). Because LFS + installs only the shared libraries, there is no need to recompile packages + which link to <filename class="libraryfile">libcrypto.so</filename> or + <filename class="libraryfile">libssl.so</filename> + <emphasis>when upgrading in the same series.</emphasis> + </para> + + <para> + However, any running programs linked to those libraries need to be stopped + and restarted. The following command, run as + <systemitem class="username">root</systemitem> after udating, will list what is + using the old versions of those libraries: + </para> + +<screen><userinput role="nodump">grep -l -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps | + tr -cd 0-9\\n | xargs -r ps u</userinput></screen> + + <para> + If you used <application>OpenSSH</application> to login to the system, you + need to logout, login again, and rerun that command to confirm nothing is + still using the deleted libraries. + </para> + </note> + </sect2> <sect2 id="contents-openssl" role="content"> |