View previous topic :: View next topic |
Author |
Message |
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Thu Jul 08, 2004 3:57 pm Post subject: |
|
|
My guess is that if you have the old kernel (package) installed glsa-check sees it and reports it as vulnerable becuase it doesn't really work with SLOTs yet unfortunately. |
|
Back to top |
|
|
jpc82 Guru
Joined: 09 Mar 2003 Posts: 326
|
Posted: Mon Jul 12, 2004 2:05 pm Post subject: |
|
|
Update to my problem.
After a emerge sync, glsa-check no longer wanted to down grade me to r1, but now wonted to upgrade me to r9, which is an improvment.
So I did a glsa-check -f <number>, and let it do its work, and now everything is fine. GLSA-CHECK now reports no more holes, and my system is happy. |
|
Back to top |
|
|
evossler n00b
Joined: 15 Nov 2003 Posts: 31
|
Posted: Tue Jul 20, 2004 9:39 pm Post subject: glsa-check -i doesn't seem to work for me |
|
|
There are a few items that glsa-check still reports me as being vulnerable on, even though I have already applied the updates associated with fixing them. A few of them are kernel issues, which was already talked about earlier (I have not tried removing the outdated source packages), the other is 200405-11, relating to kdelib.
For all of these, I tried to do a glsa-check -i <number> to inject them into the check file, and glsa-check -i reports success when I do this. However, glsa-check continues to report me as vulnerable.
Am I misunderstanding how to use the -i switch, or is this a bug? |
|
Back to top |
|
|
Dr_Smack n00b
Joined: 15 Jul 2004 Posts: 18
|
Posted: Wed Aug 18, 2004 8:13 pm Post subject: |
|
|
I, too, am having issues with glsa-check and kernels. I always emerge -C unused kernel sources, so I just have my latest 2 kernels lying around.
Code: | qpkg -i -I gentoo-dev-sources
sys-kernel/gentoo-dev-sources-2.6.8-r1 *
Full sources including the gentoo patchset for the . kernel tree [ ]
sys-kernel/gentoo-dev-sources-2.6.7-r14 *
Full sources including the gentoo patchset for the . kernel tree [ ]
|
Yet glsa-check -l gives me
Code: | 200407-12 [N] Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling ( sys-kernel/rsbac-dev-sources sys-kernel/pegasos-dev-sources sys-kernel/hppa-dev-sources ... ) |
glsa-check -t 200407-12 tells me I am vulnerable (despite the fact I am not) and glsa-check -p 200407-12 says there is nothing to do for that GLSA. Any ideas as to what is going on? |
|
Back to top |
|
|
dfort n00b
Joined: 31 Jul 2004 Posts: 29 Location: West Hollywood
|
Posted: Sat Aug 28, 2004 7:32 pm Post subject: |
|
|
I too have this problem with GLSA 200407-12.
Code: | mariachi root # glsa-check -t all
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
This system is affected by the following GLSA:
200407-12
mariachi root # glsa-check -f 200407-12
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
fixing 200407-12
mariachi root # glsa-check -t all
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
This system is affected by the following GLSA:
200407-12
mariachi root # |
It just won't go away.
Here is a snip of the result of glsa-check -p all:
Code: | **********************************************************************
Checking GLSA 200407-12
Nothing to do for this GLSA
**********************************************************************
|
I'm running the gentoo-dev-sources-2.6.7-r13 on an Athlon 64 system.
Any clues? |
|
Back to top |
|
|
richardjuckes n00b
Joined: 23 Jun 2004 Posts: 12 Location: China
|
Posted: Wed Sep 29, 2004 9:24 am Post subject: |
|
|
Hi, I get this error to glsa-check -t all Code: | auxdb exception: [/usr/portage::media-libs/gdk-pixbuf-0.22.0-r2]: u'No key provided. key: gdk-pixbuf-0.22.0-r2'
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 215, in ?
if myglsa.isVulnerable():
File "/usr/lib/gentoolkit/pym/glsa.py", line 540, in isVulnerable
rValue = rValue \
File "/usr/lib/gentoolkit/pym/glsa.py", line 334, in getMinUpgrade
mylist = portage.db["/"]["porttree"].dbapi.match(u)
File "/usr/lib/portage/pym/portage.py", line 5133, in match
return self.xmatch("match-visible",mydep)
File "/usr/lib/portage/pym/portage.py", line 5120, in xmatch
myval=match_from_list(mydep,self.xmatch("list-visible",None,mydep=mydep,mykey=mykey))
File "/usr/lib/portage/pym/portage.py", line 5106, in xmatch
myval=self.gvisible(self.visible(self.cp_list(mykey)))
File "/usr/lib/portage/pym/portage.py", line 5204, in gvisible
myaux=db["/"]["porttree"].dbapi.aux_get(mycpv, ["KEYWORDS"])
File "/usr/lib/portage/pym/portage.py", line 4900, in aux_get
self.auxdb[mylocation][cat].del_key(pkg)
File "/usr/lib/portage/pym/portage_db_flat.py", line 94, in del_key
mylock = portage_locks.lockfile(self.fullpath+key, wantnewlockfile=1)
File "/usr/lib/portage/pym/portage_locks.py", line 81, in lockfile
raise ValueError, "Unknown type passed in '%s': '%s'" % (type(mypath),mypath)
ValueError: Unknown type passed in '<type 'unicode'>': '/var/cache/edb/dep//usr/portage/media-libs/gdk-pixbuf-0.22.0-r2'
|
and this to glsa-check -f all Code: | fixing 200409-28
auxdb exception: [/usr/portage::x11-libs/gtk+-1.2.10-r11]: u'No key provided. key: gtk+-1.2.10-r11'
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 173, in ?
mergelist = myglsa.getMergeList()
File "/usr/lib/gentoolkit/pym/glsa.py", line 584, in getMergeList
path["unaff_atoms"])
File "/usr/lib/gentoolkit/pym/glsa.py", line 334, in getMinUpgrade
mylist = portage.db["/"]["porttree"].dbapi.match(u)
File "/usr/lib/portage/pym/portage.py", line 5133, in match
return self.xmatch("match-visible",mydep)
File "/usr/lib/portage/pym/portage.py", line 5120, in xmatch
myval=match_from_list(mydep,self.xmatch("list-visible",None,mydep=mydep,mykey=mykey))
File "/usr/lib/portage/pym/portage.py", line 5106, in xmatch
myval=self.gvisible(self.visible(self.cp_list(mykey)))
File "/usr/lib/portage/pym/portage.py", line 5204, in gvisible
myaux=db["/"]["porttree"].dbapi.aux_get(mycpv, ["KEYWORDS"])
File "/usr/lib/portage/pym/portage.py", line 4900, in aux_get
self.auxdb[mylocation][cat].del_key(pkg)
File "/usr/lib/portage/pym/portage_db_flat.py", line 94, in del_key
mylock = portage_locks.lockfile(self.fullpath+key, wantnewlockfile=1)
File "/usr/lib/portage/pym/portage_locks.py", line 81, in lockfile
raise ValueError, "Unknown type passed in '%s': '%s'" % (type(mypath),mypath)
ValueError: Unknown type passed in '<type 'unicode'>': '/var/cache/edb/dep//usr/portage/x11-libs/gtk+-1.2.10-r11'
|
For the last few months glsa-check -f all has not produced errors nor made any fixes.
Thanks in advance for any help. |
|
Back to top |
|
|
Koon Retired Dev
Joined: 10 Dec 2002 Posts: 518
|
Posted: Sun Oct 10, 2004 12:22 pm Post subject: |
|
|
dfort wrote: | I too have this problem with GLSA 200407-12. |
200407-12 had a specific problem in the way it was written. A new version was committed that should work, see https://bugs.gentoo.org/show_bug.cgi?id=64601
-K |
|
Back to top |
|
|
kaffeen Tux's lil' helper
Joined: 27 Jan 2004 Posts: 139 Location: The Frozen North
|
Posted: Sat Oct 23, 2004 4:19 pm Post subject: |
|
|
I'm having the same problem with GLSA 200409-28 when I run 'glsa-check -f all'. I'm not really sure as to why I show as being vulnerable to this GLSA in the first place since I've only recently built this system (it's less than two weeks old) and I have never had a version of GTK+, GTK+2, or GDK-PIXPUF installed that was affected by this particular GLSA. Can this just safely be ignored or is there something I am missing? |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Sun Oct 24, 2004 1:10 am Post subject: |
|
|
ignore it or update to gentoolkit-0.2.0_pre10. |
|
Back to top |
|
|
salivian Tux's lil' helper
Joined: 15 Sep 2002 Posts: 91
|
Posted: Tue Oct 26, 2004 4:42 pm Post subject: |
|
|
After recent portage upgrade, I am forced to run gentoolkit-0.2.0_pre10, as pre8 failed on unicode errors.
yet pre10 is interested in emerging masked packages.
eg.
fixing 200410-04
>>> merging dev-php/mod_php-5.0.0
Calculating dependencies
!!! All ebuilds that could satisfy "=dev-php/mod_php-5.0.0" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-php/mod_php-5.0.0 (masked by: -x86 keyword)
For more information, see MASKED PACKAGES section in the emerge man page or
section 2.2 "Software Availability" in the Gentoo Handbook.
though emerge works perfectly.
vector etc # emerge -p mod_php
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild NS ] dev-php/mod_php-4.3.9
[ebuild U ] dev-php/php-4.3.9 [4.3.8] |
|
Back to top |
|
|
dr_dex n00b
Joined: 22 Jan 2003 Posts: 32 Location: Tønsberg, Vestfold, Norway
|
Posted: Fri Oct 29, 2004 10:45 am Post subject: |
|
|
After upgrading to _pre10 I also get the same message about wanting to install masked packages, but I have a problem with mit-krb5.
Running 'emerge -vp mit-krb5' works as expected, so why isn't glsa-check picking this up correctly?
Anyone got a solution? |
|
Back to top |
|
|
vdboor Guru
Joined: 03 Dec 2003 Posts: 592 Location: The Netherlands
|
Posted: Sat Nov 13, 2004 1:00 pm Post subject: |
|
|
This is a bit weird: glsa-check tries to merge the same package again:
This is the output from glsa-check --pretent:
Code: | Checking GLSA 200410-20
The following updates will be performed for this GLSA:
net-print/cups-1.1.20-r5 (1.1.20-r5) |
I'm using gentoolkit-0.2.0_pre10-r1
edit: I found the reason, I was using AUTOCLEAN="no" in make.conf
However, it might be something interesting to imclude in "glsa-check --fix" (setting AUTOCLEAN to yes, to make sure the package will be removed!) Yes, people do dump things _________________ The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Sun Nov 14, 2004 5:21 am Post subject: |
|
|
Nah, we're probably removing support for AUTOCLEAN=no completely as I don't see any real use for it anymore. |
|
Back to top |
|
|
vdboor Guru
Joined: 03 Dec 2003 Posts: 592 Location: The Netherlands
|
Posted: Sun Nov 14, 2004 11:31 am Post subject: |
|
|
Genone wrote: | Nah, we're probably removing support for AUTOCLEAN=no completely as I don't see any real use for it anymore. |
Sounds even better _________________ The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Sun Dec 05, 2004 10:18 am Post subject: |
|
|
Genone wrote: | Nah, we're probably removing support for AUTOCLEAN=no completely as I don't see any real use for it anymore. |
I'm not sure it is completely useless. I think I set it to prevent my current kernel sources getting binned when I updated to a newer version.
Kernel upgrades is (at least) one area where I *require* the previous version to remain intact as a fallback.
I could probably find others but kernel is the biggest, most obvious and most important.
Please correct me if I have misunderstood autoclean.
Thanks _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Sun Dec 05, 2004 10:24 am Post subject: |
|
|
I have a similar pb to earlier posts with a masked package.
in my case ghostscript-7.0.1-r7 had a bug that screwed up CUPS so I had to mask it.
I dont understand the workings of glsa yet but it seems that maybe it should cater for this sort of situation.
HTH _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Mon Dec 06, 2004 7:39 am Post subject: |
|
|
Gentree wrote: | Genone wrote: | Nah, we're probably removing support for AUTOCLEAN=no completely as I don't see any real use for it anymore. |
I'm not sure it is completely useless. I think I set it to prevent my current kernel sources getting binned when I updated to a newer version.
Kernel upgrades is (at least) one area where I *require* the previous version to remain intact as a fallback.
|
Well, kernel sources are slotted so upgrades won't remove the older versions anyway. |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Mon Dec 06, 2004 9:28 pm Post subject: |
|
|
Thanks for clearing that up.
In fact I checked and I have AUTOCLEAN commented out , and it does the 5 4 3 2 1 bit and removes the old version.
So my issue remains that with a package masked locally for a specific bug I can no longer use glsa-check:
Code: | fixing 200410-17
**********************************************************************
fixing 200410-18
>>> merging app-text/ghostscript-7.07.1-r7
Calculating dependencies
!!! All ebuilds that could satisfy "=app-text/ghostscript-7.07.1-r7" have been masked.
!!! One of the following masked packages is required to complete your request:
- app-text/ghostscript-7.07.1-r7 (masked by: package.mask)
|
so my glsa-check -f all is doing just that : f all.
I could do -l and then do each one by hand, but would it be possible/logical for it to do all other checks that are possible and then print this error afterwards?
At this time do I have to chose between a workgin cups and a security whole in ghostscript or is there another option?
Thx _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
gentoo_lan l33t
Joined: 08 Sep 2004 Posts: 891 Location: Charles Town, WV
|
Posted: Wed Dec 08, 2004 10:18 pm Post subject: |
|
|
glsa-check --pretend all gives me this item to fix:
Code: | Checking GLSA 200411-38
The following updates will be performed for this GLSA:
dev-java/blackdown-jdk-1.4.2.01 (1.4.1) |
I have blackdown-jdk 1.41, blackdown-jdk 1.4.2.01, and sun-jdk-1.4.2.06 installed. Currently I use sun-jdk and was wondering if this was an error in GLSA check. When trying to fix the GLSA it wants me to install blackdown-jdk...since I am using sun-jdk I don't believe this is necessary. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Thu Dec 09, 2004 1:44 am Post subject: |
|
|
gentoo_lan wrote: | glsa-check --pretend all gives me this item to fix:
Code: | Checking GLSA 200411-38
The following updates will be performed for this GLSA:
dev-java/blackdown-jdk-1.4.2.01 (1.4.1) |
I have blackdown-jdk 1.41, blackdown-jdk 1.4.2.01, and sun-jdk-1.4.2.06 installed. Currently I use sun-jdk and was wondering if this was an error in GLSA check. When trying to fix the GLSA it wants me to install blackdown-jdk...since I am using sun-jdk I don't believe this is necessary. |
Quote: | I have blackdown-jdk 1.41, blackdown-jdk 1.4.2.01, and sun-jdk-1.4.2.06 installed. |
There is your problem, unmerge blackdown-1.4.1 and you should be ok. |
|
Back to top |
|
|
gentoo_lan l33t
Joined: 08 Sep 2004 Posts: 891 Location: Charles Town, WV
|
Posted: Thu Dec 09, 2004 3:13 am Post subject: |
|
|
Thanks that worked perfectly. |
|
Back to top |
|
|
vdboor Guru
Joined: 03 Dec 2003 Posts: 592 Location: The Netherlands
|
Posted: Sun Dec 12, 2004 2:46 pm Post subject: |
|
|
I noticed how glsa-check tried to emerge "media-libs/pdflib-5.0.4_p1" to fix GLSA 200412-02. Considering this output from etcat -v I get the feeling something is wrong here, shoudn't glsa-check emerge media-libs/pdflib-5.0.4_p1-r1 instead..??
Code: | diederik@pts/3 diederik $ etcat -v pdflib
[ Results for search key : pdflib ]
[ Candidate applications found : 3 ]
Only printing found installed programs.
* media-libs/pdflib :
[ ] 5.0.2 (5)
[ I] 5.0.4_p1 (5)
[ ] 5.0.4_p1-r1 (5) |
update: I've merged the version 5.0.4_p1-r1 myself, and glsa-check still tries to install version 5.0.4_p1. _________________ The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer
[ screenies | Coding on KMess ] |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Mon Dec 20, 2004 12:23 pm Post subject: |
|
|
I'm getting wierd *pdf* stuff as well:
glsa-check -t all
pulls up 200410-30 which wants to emerge gpdf-2.8.0-r2.
I dont even have this in world or any deps or on the system !!
Why is it trying to "upgrade" from a security risk I dont even have?
THx _________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Wed Dec 22, 2004 10:53 pm Post subject: |
|
|
Ok, first thing: You whould use the "new" keyword, not the "all" keyword (the difference is that "all" also checks GLSAs that are already marked as fixed). The pdflib issue sounds right, glsa-check will always use the lowest unaffected version, it doesn't necessarily do the same as the GLSA resolution says.
The situation with the pdflib downgrade is just the usual SLOT issue, you have to remove the older 4.x versions manually for now and run revdep-rebuild. |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Thu Jan 13, 2005 12:48 am Post subject: |
|
|
Code: | --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-app-text_-_a2ps-4.13c-r2-25287.log"
open_wr: /usr/qt/3/etc/settings/.qtrc.lock
open_wr: /usr/qt/3/etc/settings/.qtrc.lock
|
200501-02 tries to update a2ps but seems to want to break out of the sandbox.
_________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
|