* [gentoo-user] GLSA management
@ 2012-03-06 18:32 Grant
2012-03-06 18:57 ` Michael Orlitzky
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Grant @ 2012-03-06 18:32 UTC (permalink / raw
To: Gentoo mailing list
I've been checking this daily for a while:
http://www.gentoo.org/security/en/glsa/index.xml
but every time there's a vulnerability in a package I know I have
installed, my installed version is unaffected. If I emerge world
daily, do I need to check on GLSA's?
- Grant
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 18:32 [gentoo-user] GLSA management Grant
@ 2012-03-06 18:57 ` Michael Orlitzky
2012-03-06 19:06 ` Neil Bothwick
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Michael Orlitzky @ 2012-03-06 18:57 UTC (permalink / raw
To: gentoo-user
On 03/06/12 13:32, Grant wrote:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?
>
Does glsa-check still work? It's part of gentoolkit.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 18:32 [gentoo-user] GLSA management Grant
2012-03-06 18:57 ` Michael Orlitzky
@ 2012-03-06 19:06 ` Neil Bothwick
2012-03-06 19:22 ` Grant
2012-03-07 1:48 ` [gentoo-user] " »Q«
2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
2012-03-06 23:13 ` Urs Schutz
3 siblings, 2 replies; 9+ messages in thread
From: Neil Bothwick @ 2012-03-06 19:06 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 545 bytes --]
On Tue, 6 Mar 2012 10:32:35 -0800, Grant wrote:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?
If you run testing, you usually have the fixed version before it gets
into a GLSA. Just run glsa-check -t all after syncing.
--
Neil Bothwick
COBOL: Completely Obsolete Business Oriented Language
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 18:32 [gentoo-user] GLSA management Grant
2012-03-06 18:57 ` Michael Orlitzky
2012-03-06 19:06 ` Neil Bothwick
@ 2012-03-06 19:07 ` Florian Philipp
2012-03-06 19:22 ` Grant
2012-03-06 23:13 ` Urs Schutz
3 siblings, 1 reply; 9+ messages in thread
From: Florian Philipp @ 2012-03-06 19:07 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 527 bytes --]
Am 06.03.2012 19:32, schrieb Grant:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected. If I emerge world
> daily, do I need to check on GLSA's?
>
> - Grant
>
I don't know the exact policy but I've never seen a GLSA being issued
before the fix got stabilized. If you update daily, GLSAs should not
affect you.
Regards,
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
@ 2012-03-06 19:22 ` Grant
0 siblings, 0 replies; 9+ messages in thread
From: Grant @ 2012-03-06 19:22 UTC (permalink / raw
To: gentoo-user
>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected. If I emerge world
>> daily, do I need to check on GLSA's?
>>
>> - Grant
>>
>
> I don't know the exact policy but I've never seen a GLSA being issued
> before the fix got stabilized. If you update daily, GLSAs should not
> affect you.
Thanks Florian.
- Grant
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 19:06 ` Neil Bothwick
@ 2012-03-06 19:22 ` Grant
2012-03-07 1:48 ` [gentoo-user] " »Q«
1 sibling, 0 replies; 9+ messages in thread
From: Grant @ 2012-03-06 19:22 UTC (permalink / raw
To: gentoo-user
>> I've been checking this daily for a while:
>>
>> http://www.gentoo.org/security/en/glsa/index.xml
>>
>> but every time there's a vulnerability in a package I know I have
>> installed, my installed version is unaffected. If I emerge world
>> daily, do I need to check on GLSA's?
>
> If you run testing, you usually have the fixed version before it gets
> into a GLSA. Just run glsa-check -t all after syncing.
Thanks, that works great.
- Grant
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] GLSA management
2012-03-06 18:32 [gentoo-user] GLSA management Grant
` (2 preceding siblings ...)
2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
@ 2012-03-06 23:13 ` Urs Schutz
3 siblings, 0 replies; 9+ messages in thread
From: Urs Schutz @ 2012-03-06 23:13 UTC (permalink / raw
To: gentoo-user
On Tue, 6 Mar 2012 10:32:35 -0800
Grant <emailgrant@gmail.com> wrote:
> I've been checking this daily for a while:
>
> http://www.gentoo.org/security/en/glsa/index.xml
>
> but every time there's a vulnerability in a package I
> know I have installed, my installed version is
> unaffected. If I emerge world daily, do I need to check
> on GLSA's?
>
> - Grant
>
I run a cron job that does glsa-check -t all daily, and had
one glsa showing up lately (201201-09). This was an old
slot of media-libs/freetype, pulled in by emerge because of
obscure useflags in luatex. This was with stable packages.
Another one showed up because of app-text/acroread, and
was resolved by replacing acroread with evince.
So in my opinion it is necessary to run glsa-check
regularly to show the detected problems within the system.
Run as a cron job there is little work to do, checking the
mail takes less than 10 seconds.
And: A big thanks to the people who invest their time and
use their brains to write the Gentoo Linux Security Advices!
Urs
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-user] Re: GLSA management
2012-03-06 19:06 ` Neil Bothwick
2012-03-06 19:22 ` Grant
@ 2012-03-07 1:48 ` »Q«
2012-03-07 1:58 ` »Q«
1 sibling, 1 reply; 9+ messages in thread
From: »Q« @ 2012-03-07 1:48 UTC (permalink / raw
To: gentoo-user
On Tue, 6 Mar 2012 19:06:46 +0000
Neil Bothwick <neil@digimed.co.uk> wrote:
> If you run testing, you usually have the fixed version before it gets
> into a GLSA.
IME, the same is true of running stable.
I saw comments somewhere recently about the GLSA-releasing process
having a bottleneck somewhere, but there weren't details. I think I
was reading bugs.gentoo.org, but I'm not sure.
The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized on
all arches, and a GLSA request made, on 16 January but the GLSA wasn't
issued until 6 March. I don't know if that's an anomaly or not.
There's a lot I don't know in this post, heh. I guess I'm requesting
comments.
1 https://bugs.gentoo.org/show_bug.cgi?id=397695
2 http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
^ permalink raw reply [flat|nested] 9+ messages in thread
* [gentoo-user] Re: GLSA management
2012-03-07 1:48 ` [gentoo-user] " »Q«
@ 2012-03-07 1:58 ` »Q«
0 siblings, 0 replies; 9+ messages in thread
From: »Q« @ 2012-03-07 1:58 UTC (permalink / raw
To: gentoo-user
On Tue, 6 Mar 2012 19:48:43 -0600
»Q« <boxcars@gmx.net> wrote:
> The stabilization bug[1] for GLSA 201203-12[2] has the fix stabilized
> on all arches, and a GLSA request made, on 16 January but the GLSA
> wasn't issued until 6 March. I don't know if that's an anomaly or
> not.
Of the 12 GLSAs issued today, I believe that was the "oldest".
> There's a lot I don't know in this post, heh. I guess I'm requesting
> comments.
>
> 1 https://bugs.gentoo.org/show_bug.cgi?id=397695
>
> 2 http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-03-07 2:00 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-06 18:32 [gentoo-user] GLSA management Grant
2012-03-06 18:57 ` Michael Orlitzky
2012-03-06 19:06 ` Neil Bothwick
2012-03-06 19:22 ` Grant
2012-03-07 1:48 ` [gentoo-user] " »Q«
2012-03-07 1:58 ` »Q«
2012-03-06 19:07 ` [gentoo-user] " Florian Philipp
2012-03-06 19:22 ` Grant
2012-03-06 23:13 ` Urs Schutz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox