FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 03-06-2012, 05:32 PM
Grant
 
Default GLSA management

I've been checking this daily for a while:

http://www.gentoo.org/security/en/glsa/index.xml

but every time there's a vulnerability in a package I know I have
installed, my installed version is unaffected. If I emerge world
daily, do I need to check on GLSA's?

- Grant
 
Old 03-06-2012, 05:57 PM
Michael Orlitzky
 
Default GLSA management

On 03/06/12 13:32, Grant wrote:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?
>

Does glsa-check still work? It's part of gentoolkit.
 
Old 03-06-2012, 06:06 PM
Neil Bothwick
 
Default GLSA management

On Tue, 6 Mar 2012 10:32:35 -0800, Grant wrote:

> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?

If you run testing, you usually have the fixed version before it gets
into a GLSA. Just run glsa-check -t all after syncing.


--
Neil Bothwick

COBOL: Completely Obsolete Business Oriented Language
 
Old 03-06-2012, 06:07 PM
Florian Philipp
 
Default GLSA management

Am 06.03.2012 19:32, schrieb Grant:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?
>
> - Grant
>

I don't know the exact policy but I've never seen a GLSA being issued
before the fix got stabilized. If you update daily, GLSAs should not
affect you.

Regards,
Florian Philipp
 
Old 03-06-2012, 06:22 PM
Grant
 
Default GLSA management

>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected. *If I emerge world
>> daily, do I need to check on GLSA's?
>>
>> - Grant
>>
>
> I don't know the exact policy but I've never seen a GLSA being issued
> before the fix got stabilized. If you update daily, GLSAs should not
> affect you.

Thanks Florian.

- Grant
 
Old 03-06-2012, 06:22 PM
Grant
 
Default GLSA management

>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected. *If I emerge world
>> daily, do I need to check on GLSA's?
>
> If you run testing, you usually have the fixed version before it gets
> into a GLSA. Just run glsa-check -t all after syncing.

Thanks, that works great.

- Grant
 
Old 03-06-2012, 10:13 PM
Urs Schutz
 
Default GLSA management

On Tue, 6 Mar 2012 10:32:35 -0800
Grant <emailgrant@gmail.com> wrote:

> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I
> know I have installed, my installed version is
> unaffected. If I emerge world daily, do I need to check
> on GLSA's?
>
> - Grant
>

I run a cron job that does glsa-check -t all daily, and had
one glsa showing up lately (201201-09). This was an old
slot of media-libs/freetype, pulled in by emerge because of
obscure useflags in luatex. This was with stable packages.
Another one showed up because of app-text/acroread, and
was resolved by replacing acroread with evince.

So in my opinion it is necessary to run glsa-check
regularly to show the detected problems within the system.
Run as a cron job there is little work to do, checking the
mail takes less than 10 seconds.

And: A big thanks to the people who invest their time and
use their brains to write the Gentoo Linux Security Advices!

Urs
 
Old 03-07-2012, 12:48 AM
Q
 
Default GLSA management

On Tue, 6 Mar 2012 19:06:46 +0000
Neil Bothwick <neil@digimed.co.uk> wrote:

> If you run testing, you usually have the fixed version before it gets
> into a GLSA.

IME, the same is true of running stable.

I saw comments somewhere recently about the GLSA-releasing process
having a bottleneck somewhere, but there weren't details. I think I
was reading bugs.gentoo.org, but I'm not sure.

The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized on
all arches, and a GLSA request made, on 16 January but the GLSA wasn't
issued until 6 March. I don't know if that's an anomaly or not.

There's a lot I don't know in this post, heh. I guess I'm requesting
comments.

1 https://bugs.gentoo.org/show_bug.cgi?id=397695

2 http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
 
Old 03-07-2012, 12:58 AM
Q
 
Default GLSA management

On Tue, 6 Mar 2012 19:48:43 -0600
Q <boxcars@gmx.net> wrote:

> The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized
> on all arches, and a GLSA request made, on 16 January but the GLSA
> wasn't issued until 6 March. I don't know if that's an anomaly or
> not.

Of the 12 GLSAs issued today, I believe that was the "oldest".

> There's a lot I don't know in this post, heh. I guess I'm requesting
> comments.
>
> 1 https://bugs.gentoo.org/show_bug.cgi?id=397695
>
> 2 http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
 

Thread Tools




All times are GMT. The time now is 12:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org