A security announcement was made regarding two vulnerabilities in OpenSSL: https://www.openssl.org/news/secadv/20210325.txt. Both vulnerabilities have received the 'high' severity rating from OpenSSL.
Patches were installed from debian-security: see https://security-tracker.debian.org/tracker/CVE-2021-3449 and https://security-tracker.debian.org/tracker/CVE-2021-3450. However, in order to ensure the changes are propagated to processes using libssl.so, services depending on the binaries must be restarted.
Affected processes (list may be incomplete):
- glusterfs (as in the client, as found on MediaWiki servers)
- kvm (on proxmox hosts)
- node (citoid, restbase, proton)
- python3 (presumably adminlogbot, ircrcbot and icinga2-irclog)
- systemd (restarting the init process is equal to rebooting the server, obviously)
- CVE-2021-3449: potential DoS attack against servers, not on clients. Services that are not public facing - such as Bacula and MariaDB - are unlikely to be impacted. Advice: restart cache proxies and other servers with public facing nginx first,
- CVE-2021-3450: absolutely no idea if/where X509_V_FLAG_X509_STRICT is used, usage does not seem to be very common. Not sure if Miraheze uses it anywhere.
- Rebooting is the safest option, but in certain cases (e.g. proxmox hosts), manually restarting services is doable. systemd services are not using TLS to my knowledge anyways. Therefore: reboot VMs that can be depooled and repooled, keep critical servers (proxmox hosts, database servers, DNS servers, monitoring hosts) online for now.
- Start with public facing servers / services first, anything that is critical but firewalled has less exposure. Unless other instructions have been received, skip critical services on the following hosts: db1[1-3], cloud[3-5], mon2 and ns.