public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] GLSA management
@ 2012-03-06 18:32 Grant
  2012-03-06 18:57 ` Michael Orlitzky
                   ` (3 more replies)
  0 siblings, 4 replies; 9+ messages in thread
From: Grant @ 2012-03-06 18:32 UTC (permalink / raw
  To: Gentoo mailing list

I've been checking this daily for a while:

http://www.gentoo.org/security/en/glsa/index.xml

but every time there's a vulnerability in a package I know I have
installed, my installed version is unaffected.  If I emerge world
daily, do I need to check on GLSA's?

- Grant



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 18:32 [gentoo-user] GLSA management Grant
@ 2012-03-06 18:57 ` Michael Orlitzky
  2012-03-06 19:06 ` Neil Bothwick
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 9+ messages in thread
From: Michael Orlitzky @ 2012-03-06 18:57 UTC (permalink / raw
  To: gentoo-user

On 03/06/12 13:32, Grant wrote:
> I've been checking this daily for a while:
> 
> http://www.gentoo.org/security/en/glsa/index.xml
> 
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected.  If I emerge world
> daily, do I need to check on GLSA's?
> 

Does glsa-check still work? It's part of gentoolkit.



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 18:32 [gentoo-user] GLSA management Grant
  2012-03-06 18:57 ` Michael Orlitzky
@ 2012-03-06 19:06 ` Neil Bothwick
  2012-03-06 19:22   ` Grant
  2012-03-07  1:48   ` [gentoo-user] " »Q«
  2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
  2012-03-06 23:13 ` Urs Schutz
  3 siblings, 2 replies; 9+ messages in thread
From: Neil Bothwick @ 2012-03-06 19:06 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

On Tue, 6 Mar 2012 10:32:35 -0800, Grant wrote:

> I've been checking this daily for a while:
> 
> http://www.gentoo.org/security/en/glsa/index.xml
> 
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected.  If I emerge world
> daily, do I need to check on GLSA's?

If you run testing, you usually have the fixed version before it gets
into a GLSA. Just run glsa-check -t all after syncing.


-- 
Neil Bothwick

COBOL: Completely Obsolete Business Oriented Language

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 18:32 [gentoo-user] GLSA management Grant
  2012-03-06 18:57 ` Michael Orlitzky
  2012-03-06 19:06 ` Neil Bothwick
@ 2012-03-06 19:07 ` Florian Philipp
  2012-03-06 19:22   ` Grant
  2012-03-06 23:13 ` Urs Schutz
  3 siblings, 1 reply; 9+ messages in thread
From: Florian Philipp @ 2012-03-06 19:07 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

Am 06.03.2012 19:32, schrieb Grant:
> I've been checking this daily for a while:
> 
> http://www.gentoo.org/security/en/glsa/index.xml
> 
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected.  If I emerge world
> daily, do I need to check on GLSA's?
> 
> - Grant
> 

I don't know the exact policy but I've never seen a GLSA being issued
before the fix got stabilized. If you update daily, GLSAs should not
affect you.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
@ 2012-03-06 19:22   ` Grant
  0 siblings, 0 replies; 9+ messages in thread
From: Grant @ 2012-03-06 19:22 UTC (permalink / raw
  To: gentoo-user

>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected.  If I emerge world
>> daily, do I need to check on GLSA's?
>>
>> - Grant
>>
>
> I don't know the exact policy but I've never seen a GLSA being issued
> before the fix got stabilized. If you update daily, GLSAs should not
> affect you.

Thanks Florian.

- Grant



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 19:06 ` Neil Bothwick
@ 2012-03-06 19:22   ` Grant
  2012-03-07  1:48   ` [gentoo-user] " »Q«
  1 sibling, 0 replies; 9+ messages in thread
From: Grant @ 2012-03-06 19:22 UTC (permalink / raw
  To: gentoo-user

>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected.  If I emerge world
>> daily, do I need to check on GLSA's?
>
> If you run testing, you usually have the fixed version before it gets
> into a GLSA. Just run glsa-check -t all after syncing.

Thanks, that works great.

- Grant



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] GLSA management
  2012-03-06 18:32 [gentoo-user] GLSA management Grant
                   ` (2 preceding siblings ...)
  2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
@ 2012-03-06 23:13 ` Urs Schutz
  3 siblings, 0 replies; 9+ messages in thread
From: Urs Schutz @ 2012-03-06 23:13 UTC (permalink / raw
  To: gentoo-user

On Tue, 6 Mar 2012 10:32:35 -0800
Grant <emailgrant@gmail.com> wrote:

> I've been checking this daily for a while:
> 
> http://www.gentoo.org/security/en/glsa/index.xml
> 
> but every time there's a vulnerability in a package I
> know I have installed, my installed version is
> unaffected.  If I emerge world daily, do I need to check
> on GLSA's?
> 
> - Grant
> 

I run a cron job that does glsa-check -t all daily, and had
one glsa showing up lately (201201-09). This was an old
slot of media-libs/freetype, pulled in by emerge because of
obscure useflags in luatex. This was with stable packages.
Another one showed up because of app-text/acroread, and
was resolved by replacing acroread with evince.

So in my opinion it is necessary to run glsa-check
regularly to show the detected problems within the system.
Run as a cron job there is little work to do, checking the
mail takes less than 10 seconds.

And: A big thanks to the people who invest their time and
use their brains to write the Gentoo Linux Security Advices!

Urs



^ permalink raw reply	[flat|nested] 9+ messages in thread

* [gentoo-user] Re: GLSA management
  2012-03-06 19:06 ` Neil Bothwick
  2012-03-06 19:22   ` Grant
@ 2012-03-07  1:48   ` »Q«
  2012-03-07  1:58     ` »Q«
  1 sibling, 1 reply; 9+ messages in thread
From: »Q« @ 2012-03-07  1:48 UTC (permalink / raw
  To: gentoo-user

On Tue, 6 Mar 2012 19:06:46 +0000
Neil Bothwick <neil@digimed.co.uk> wrote:

> If you run testing, you usually have the fixed version before it gets
> into a GLSA.

IME, the same is true of running stable.

I saw comments somewhere recently about the GLSA-releasing process
having a bottleneck somewhere, but there weren't details.  I think I
was reading bugs.gentoo.org, but I'm not sure.

The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized on
all arches, and a GLSA request made, on 16 January but the GLSA wasn't
issued until 6 March.  I don't know if that's an anomaly or not.

There's a lot I don't know in this post, heh.  I guess I'm requesting
comments.

1  https://bugs.gentoo.org/show_bug.cgi?id=397695 

2  http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [gentoo-user] Re: GLSA management
  2012-03-07  1:48   ` [gentoo-user] " »Q«
@ 2012-03-07  1:58     ` »Q«
  0 siblings, 0 replies; 9+ messages in thread
From: »Q« @ 2012-03-07  1:58 UTC (permalink / raw
  To: gentoo-user

On Tue, 6 Mar 2012 19:48:43 -0600
»Q« <boxcars@gmx.net> wrote:

> The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized
> on all arches, and a GLSA request made, on 16 January but the GLSA
> wasn't issued until 6 March.  I don't know if that's an anomaly or
> not.

Of the 12 GLSAs issued today, I believe that was the "oldest".
 
> There's a lot I don't know in this post, heh.  I guess I'm requesting
> comments.
> 
> 1  https://bugs.gentoo.org/show_bug.cgi?id=397695 
> 
> 2  http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml





^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2012-03-07  2:00 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-06 18:32 [gentoo-user] GLSA management Grant
2012-03-06 18:57 ` Michael Orlitzky
2012-03-06 19:06 ` Neil Bothwick
2012-03-06 19:22   ` Grant
2012-03-07  1:48   ` [gentoo-user] " »Q«
2012-03-07  1:58     ` »Q«
2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
2012-03-06 19:22   ` Grant
2012-03-06 23:13 ` Urs Schutz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox