On 28/01/2015 8:35 PM, John Rowe wrote:
> I'm sure many people will have seen the recent security update on
> gethostbyname(), etc. Apparently exim can be vulnerable to this.

Yes it is.

> This raises the question: does updating a library package actually
> protect systems from the vulnerability or do daemons continue to use the
> (insecure) version of the library call they linked at start up?

The program (exim in this case) uses a function in the library. It will
continue to use the library that was present when the program started
until you restart the program.

> And indeed, if yum updates a daemon due to security fixes does the
> daemon restart?

By default, package updates won't restart running programs. This is a
manual step.

> If it doesn't protect us is there practicable way to make sure we are
> genuinely protected short of rebooting the whole system every time there
> is a security update?

Depending on what the update is. If you want to be 100% certain, reboot.
If you don't want to reboot, you can hunt through what programs use
certain libraries using ld - however the effort taken to do this is much
more than a reboot - and probably takes longer.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897