Gentoo Archives: gentoo-security

From: Willie Wong <wwong@×××××××××.EDU>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Thu, 22 Sep 2005 02:22:59
In Reply to: Re: [gentoo-security] Kernels and GLSAs by Cameron Blackwood
On Thu, Sep 22, 2005 at 11:39:55AM +1000, Cameron Blackwood wrote:
> Time for me to make a fool of myself ;). Ive been running > > > | emerge -uD world -pv > > > to look for updates and I was a little surprised at the following.... > > | # emerge -uD world -pv > | > | These are the packages that I would merge, in order: > | > | Calculating world dependencies ...done! > | [ebuild U ] sys-devel/libperl-5.8.7 [5.8.6-r1] +berkdb -debug +gdbm -ithreads 9,608 kB > | [ebuild U ] dev-lang/perl-5.8.7-r1 [5.8.6-r5] +berkdb -build -debug -doc +gdbm -ithreads -minimal -perlsuid 0 kB > | > | Total size of downloads: 9,608 kB > > > Which doesnt list....... > > > | # glsa-check -l |& grep '\[N\]' > | [N] indicates that the system might be affected. > | 200507-16 [N] dhcpcd: Denial of Service vulnerability ( net-misc/dhcpcd ) > > > Huh? Have I just foolishly assumed that emerge world checks all packages? > Is there some 'better' way to list all packages that need updates > both security and normal (and I missed it)?
dhcpcd was recently (couple months back) removed from "system". If you installed your system before then, dhcpcd would not have been recorded in the world file since it was part of system, which is included in the packages checked when you do emerge -uD world. After it has been removed from system, unless you added it to world yourself, none of the emerge -uD world operations would have updated dhcpcd, and so dhcpcd, never passing through emerge since its removal from system, never was added to the world file. So now emerge -uD world doesn't know it is on your system. W -- News headline: The man who fell into an upholstery machine was fully recovered. Sortir en Pantoufles: up 41 days, 5:18 -- gentoo-security@g.o mailing list