Hello all,
I have a suggestion which may be worth bandying around. Comments please.
At the moment, there are virtual classes of ebuilds, namely system, and world.
(Sorry if I'm not using the right terminology here).
emerge -up world shows all possible packages for upgrading, whereas emerge -up
system shows only system related packages.
Currently on one of my servers, emerge -up system shows:
foo root # emerge -up system | grep "\[ebuild" | wc -l
50
Now, most of these are trivial:
sys-apps/man-pages-1.65 [1.56]
net-misc/dhcpcd-1.3.22_p4-r2 [1.3.22_p4-r1]
that don't affect the security of the running system. (I hope!)
On this server, I am only concerned with the security of the system, not
making sure that I am upgrading apache, postfix, ssh, and others every time a
new release comes out. (Unless of course I require some additional
functionality.)
What I think would be a good idea is the creation and maintenance of say 4 new
virtual packages:
remote-root
remote-shell
local-root
remote-dos
(Maybe there could be more, but these are the ones that I can think of).
For example, if all version of openssh below 7.8.9-r4 are vulnerable to a
remote-root, add the newest version that isn't vulnerable to the remote-root
group.
Should I run a box for myself, let's say, that doesn't have any local users,
maybe I just want to script emerge -up remote-root && emerge -up
remote-shell.
If nothing appears from that output, I can be happy that my box is running the
latest packages that could be exploited remotely.
I personally would track the 4 classes that I mentioned above on all boxes,
but of course, the choice would be for everyone.
I don't know if I made sense here, but I hope you can see what I am
suggesting.
Calum
--
gentoo-security@g.o mailing list
|
