Gentoo Archives: gentoo-security

From: Cameron Blackwood <korg@×××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Thu, 22 Sep 2005 01:45:30
Calum writes:
  | Brian G. Peterson wrote:
  | > I subscribe to the GLSA RSS feed, and scan that feed manually against my 
  | > installed software list.  The glsa-check tool is basically useless (as of
  | > gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just GLSAs for 
  | > tools that correspond to packages installed on the system it is run on.
  | I run glsa-check -l | grep '\[N\]' in a cron, and have the results
  | emailed to me at a central email address.

Time for me to make a fool of myself ;). Ive been running

 |  emerge -uD world -pv 

to look for updates and I was a little surprised at the following....

 |  # emerge -uD world -pv
 |  These are the packages that I would merge, in order:
 |  Calculating world dependencies ...done!
 |  [ebuild     U ] sys-devel/libperl-5.8.7 [5.8.6-r1] +berkdb -debug +gdbm -ithreads 9,608 kB
 |  [ebuild     U ] dev-lang/perl-5.8.7-r1 [5.8.6-r5] +berkdb -build -debug -doc +gdbm -ithreads -minimal -perlsuid 0 kB
 |  Total size of downloads: 9,608 kB

Which doesnt list.......

 |  # glsa-check -l |& grep '\[N\]'
 |  [N] indicates that the system might be affected.
 |  200507-16 [N] dhcpcd: Denial of Service vulnerability ( net-misc/dhcpcd )

but if I check the package by directly it does need an update (and
quite badly it seems)...

 |  # emerge -pv dhcpcd
 |  These are the packages that I would merge, in order:
 |  Calculating dependencies ...done!
 |  [ebuild     U ] net-misc/dhcpcd-2.0.0 [1.3.22_p4-r5] -build -debug -static 119 kB 
 |  Total size of downloads: 119 kB

Huh? Have I just foolishly assumed that emerge world checks all packages?
Is there some 'better' way to list all packages that need updates
both security and normal (and I missed it)?

I thought it might just have been me (running ppc64), but I notice my
friends intel box has exactly the same problem, right down to the same
version of dhcpcd.

Ok, I just checked the security handbook and it only mentions
glsa-check. Ok, its probably my bad... but shouldnt emerge world
merge security updates too?


 / `Rev Dr'   cam  at            Roleplaying, virtual goth \
<        Poly, *nix, Python, C/C++, genetics, ATM  >
 \  [+61 3] 9809 1523[h]         skeptic, Evil GM(tm). Sysadmin for hire /
                      ---------- Random Quote ----------
Excellent day for drinking heavily.  Spike the office water cooler.
gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Kernels and GLSAs Jason Stubbs <jstubbs@××××××××××.jp>
Re: [gentoo-security] Kernels and GLSAs Willie Wong <wwong@×××××××××.EDU>