From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HFvf8-0004jC-HG for garchives@archives.gentoo.org; Sat, 10 Feb 2007 17:05:22 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1AH2fsG000471; Sat, 10 Feb 2007 17:02:41 GMT Received: from smtp108.plus.mail.mud.yahoo.com (smtp108.plus.mail.mud.yahoo.com [68.142.206.241]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1AH2eeu000433 for ; Sat, 10 Feb 2007 17:02:40 GMT Received: (qmail 50630 invoked from network); 10 Feb 2007 17:02:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Subject:From:To:In-Reply-To:References:Content-Type:Date:Message-Id:Mime-Version:X-Mailer:Content-Transfer-Encoding; b=HBXU8dIfkEtsFBbA40KBc+GL2xzeONKhfqENA+JRW3vPQbPc+g0nWoxbCYtF9aS0b44CW/1y7XMIgmXqCyHHm6aPLaKoE5gEHNPplu6zG8NUcqStOhH1bZltuBYU6izULioGgXYquwdyFeJ1LtG0FSweb8C5eo72W5zbrxgh4fw= ; Received: from unknown (HELO ?192.168.0.3?) (j5483@68.104.140.207 with login) by smtp108.plus.mail.mud.yahoo.com with SMTP; 10 Feb 2007 17:02:39 -0000 X-YMail-OSG: ViDhh.AVM1l.N3yFOEewe3Bo6Q_xN2Xxf4Kpi_n787GN.GAzYNHM6.5hQ3fWaiMj6kwSkrRudwmNWf7hdCD6ucvJ2F7pyCHB405ioOPcgyT0SsMNrjZo5WPXla9eeupeWB9sZobNcLde9hg- Subject: Re: [gentoo-hardened] security updates From: John Schember To: gentoo-hardened@lists.gentoo.org In-Reply-To: <20070210160237.GB5317@swordfish.capgemini.hu> References: <20070210160237.GB5317@swordfish.capgemini.hu> Content-Type: text/plain Date: Sat, 10 Feb 2007 10:02:52 -0700 Message-Id: <1171126972.3818.15.camel@Ubox> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.8.3 Content-Transfer-Encoding: 7bit X-Archives-Salt: ed2ccabe-4fa8-4370-bb46-24dc5e858580 X-Archives-Hash: 48ab9b201fdd309d0ad0326985808cd1 On Sat, 2007-02-10 at 17:02 +0100, Nagy Gabor Peter wrote: > Hi list, > > I have a question: I think you had more than a single question... But the list is here to get help so the more questions the merrier ;-). > Since I am new to gentoo, I don't know how security updates work. GLSA is what you're looking for. You can see all current security announcments at http://www.gentoo.org/security/en/glsa/ > I know Debian. In Debian if I have stable installed on a production > server, I get regular security fixes, often backported from the current > bleeding edge version, where upstream has fixed the bug to the version > that Debian stable contains. On Gentoo it is back ported as needed. Often the latest version contains the fix and as long as it is stable on all supported arches the fix will not be back ported to older versions. > I have noticed that in gentoo there are many versions of a package that > are considered stable. Take glibc as an example, according to > http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8 > versions available, all of them stable. If you look at http://www.gentoo.org/security/en/glsa/glsa-200410-19.xml you can see the fix was back ported in a bunch of -r# releases. If you have a doubt about security fixes to an older package release check GLSA. > I have now two gentoo machines, one is going to be production, the > other is used to get me a little bit more familiar with the system. > > On the playground machine I have 2006.1 installed, glibc 2.4-r3 > On the production machine I have 2006.0, switched to hardened profile, > and then recompile, there I have glibc 2.3.6-r5 > > I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way, > where can I check the differences (Changelog) between two gentoo > versions (like r3 and r4)?) The change log is in the directory in your local portage tree. ie, /usr/portage/sys-libs/glibc/ChangeLog You can also use the unofficial portage listing page http://gentoo-portage.com to see the change log. > So my question: If someone finds a bug in glibc that gets corrected, > what does the gentoo maintainers do about it? Do they backport the fix > in all 8 versions? Or just in some of the versions and mark the not > fixed ones ~? ~arch is the equivalent of Debian testing. They are simply packages that have been added to the tree but need to be verified stable. Packages that are stable but have a security issue do not go back to ~arch. It is only way from ~arch (testing) to arch (stable). > Is there some mailinglist (like debian-security-announce) where such > security fixes are announced? Here is how to for how to check if any packages you have installed have an announcement after syncing. http://forums.vpslink.com/showthread.php?t=745 Basically > What is the reason that the hardened profile selects the 2.3.6 version > instead of the 2.4? I mean not in glibc's case only, but generally. > Does libc 2.4 have troubles with ssp? That is the reason. The SSP patches that the hardened profile uses are not available for 2.4. They probably won't ever be available for 2.4 simply because 2.5 is in ~arch right now. Supposedly when 2.5 gets marked stable there will be SSP patches for it and it will be used on the hardened profile. John Schember -- gentoo-hardened@gentoo.org mailing list