Re: [gentoo-hardened] security updates

[John Schember <j5483@yahoo.com>]

On Sat, 2007-02-10 at 17:02 +0100, Nagy Gabor Peter wrote:
> Hi list,
> 
> I have a question:
I think you had more than a single question... But the list is here to
get help so the more questions the merrier ;-).

> Since I am new to gentoo, I don't know how security updates work.
GLSA is what you're looking for. You can see all current security
announcments at http://www.gentoo.org/security/en/glsa/

> I know Debian. In Debian if I have stable installed on a production
> server, I get regular security fixes, often backported from the current
> bleeding edge version, where upstream has fixed the bug to the version
> that Debian stable contains.
On Gentoo it is back ported as needed. Often the latest version contains
the fix and as long as it is stable on all supported arches the fix will
not be back ported to older versions.

> I have noticed that in gentoo there are many versions of a package that
> are considered stable. Take glibc as an example, according to
> http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
> versions available, all of them stable.
If you look at http://www.gentoo.org/security/en/glsa/glsa-200410-19.xml
you can see the fix was back ported in a bunch of -r# releases. If you
have a doubt about security fixes to an older package release check
GLSA.

> I have now two gentoo machines, one is going to be production, the
> other is used to get me a little bit more familiar with the system.
> 
> On the playground machine I have 2006.1 installed, glibc 2.4-r3
> On the production machine I have 2006.0, switched to hardened profile,
> and then recompile, there I have glibc 2.3.6-r5
> 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)
The change log is in the directory in your local portage tree.
ie, /usr/portage/sys-libs/glibc/ChangeLog You can also use the
unofficial portage listing page http://gentoo-portage.com to see the
change log.

> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?
~arch is the equivalent of Debian testing. They are simply packages that
have been added to the tree but need to be verified stable. Packages
that are stable but have a security issue do not go back to ~arch. It is
only way from ~arch (testing) to arch (stable).

> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?
Here is how to for how to check if any packages you have installed have
an announcement after syncing.
http://forums.vpslink.com/showthread.php?t=745 Basically 

> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.
> Does libc 2.4 have troubles with ssp?
That is the reason. The SSP patches that the hardened profile uses are
not available for 2.4. They probably won't ever be available for 2.4
simply because 2.5 is in ~arch right now. Supposedly when 2.5 gets
marked stable there will be SSP patches for it and it will be used on
the hardened profile.

John Schember

-- 
gentoo-hardened@gentoo.org mailing list