Gentoo Archives: gentoo-dev

From: Asbjorn Sannes <gentoo@××××××.org>
To: gentoo-dev@g.o
Subject: [gentoo-dev] about GLSA
Date: Tue, 16 Jul 2002 04:55:34
Message-Id: 1026809696.5160.6.camel@ace.onnet.sec
1 In every GLSA they inform us of the steps to take to update the
2 software, and it always goes something like this:
3
4 emerge --clean rsync
5 emerge <package>
6 emerge clean
7
8 .. now, I wonder, .. isn't emerge prune <package> a better way? Because
9 most of the time emerge clean won't unmerge the old packages leaving
10 (very unlikely) vulnerable files?
11
12 Examples of this behaviour (not unmerging the old vuln. package) is
13 the recent glibc and openssh updates. Altough, in these cases it is not
14 exploitable in the future it might be.
15
16 --
17 Asbjorn Sannes
18 ace@××××××.org