Gentoo Archives: gentoo-security

From: Calum <gentoo-security@××××××××××××.uk>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Idea for easily checking for security updates.
Date: Mon, 09 Feb 2004 12:12:12
1 Hello all,
3 I have a suggestion which may be worth bandying around. Comments please.
5 At the moment, there are virtual classes of ebuilds, namely system, and world.
6 (Sorry if I'm not using the right terminology here).
8 emerge -up world shows all possible packages for upgrading, whereas emerge -up
9 system shows only system related packages.
11 Currently on one of my servers, emerge -up system shows:
12 foo root # emerge -up system | grep "\[ebuild" | wc -l
13 50
15 Now, most of these are trivial:
16 sys-apps/man-pages-1.65 [1.56]
17 net-misc/dhcpcd-1.3.22_p4-r2 [1.3.22_p4-r1]
18 that don't affect the security of the running system. (I hope!)
19 On this server, I am only concerned with the security of the system, not
20 making sure that I am upgrading apache, postfix, ssh, and others every time a
21 new release comes out. (Unless of course I require some additional
22 functionality.)
24 What I think would be a good idea is the creation and maintenance of say 4 new
25 virtual packages:
26 remote-root
27 remote-shell
28 local-root
29 remote-dos
30 (Maybe there could be more, but these are the ones that I can think of).
32 For example, if all version of openssh below 7.8.9-r4 are vulnerable to a
33 remote-root, add the newest version that isn't vulnerable to the remote-root
34 group.
35 Should I run a box for myself, let's say, that doesn't have any local users,
36 maybe I just want to script emerge -up remote-root && emerge -up
37 remote-shell.
38 If nothing appears from that output, I can be happy that my box is running the
39 latest packages that could be exploited remotely.
41 I personally would track the 4 classes that I mentioned above on all boxes,
42 but of course, the choice would be for everyone.
44 I don't know if I made sense here, but I hope you can see what I am
45 suggesting.
48 Calum
51 --
52 gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Idea for easily checking for security updates. Matt Steven <matt@×××××××××.com>
Re: [gentoo-security] Idea for easily checking for security updates. Mark Guertin <guertin@××××××××××××××.com>