portage GLSA integration (aka `emerge security`)

Genone · Posted: Thu Jul 08, 2004 3:57 pm Post subject:

My guess is that if you have the old kernel (package) installed glsa-check sees it and reports it as vulnerable becuase it doesn't really work with SLOTs yet unfortunately.

jpc82 · Guru Joined: 09 Mar 2003 Posts: 326

Update to my problem.

After a emerge sync, glsa-check no longer wanted to down grade me to r1, but now wonted to upgrade me to r9, which is an improvment.

So I did a glsa-check -f <number>, and let it do its work, and now everything is fine. GLSA-CHECK now reports no more holes, and my system is happy.

evossler · n00b Joined: 15 Nov 2003 Posts: 31

There are a few items that glsa-check still reports me as being vulnerable on, even though I have already applied the updates associated with fixing them. A few of them are kernel issues, which was already talked about earlier (I have not tried removing the outdated source packages), the other is 200405-11, relating to kdelib.

For all of these, I tried to do a glsa-check -i <number> to inject them into the check file, and glsa-check -i reports success when I do this. However, glsa-check continues to report me as vulnerable.

Am I misunderstanding how to use the -i switch, or is this a bug?

Dr_Smack · n00b Joined: 15 Jul 2004 Posts: 18

I, too, am having issues with glsa-check and kernels. I always emerge -C unused kernel sources, so I just have my latest 2 kernels lying around.

dfort · Posted: Sat Aug 28, 2004 7:32 pm Post subject:

I too have this problem with GLSA 200407-12.

richardjuckes · n00b Joined: 23 Jun 2004 Posts: 12 Location: China

Hi, I get this error to glsa-check -t all

Koon · Retired Dev Joined: 10 Dec 2002 Posts: 518

kaffeen · Posted: Sat Oct 23, 2004 4:19 pm Post subject:

I'm having the same problem with GLSA 200409-28 when I run 'glsa-check -f all'. I'm not really sure as to why I show as being vulnerable to this GLSA in the first place since I've only recently built this system (it's less than two weeks old) and I have never had a version of GTK+, GTK+2, or GDK-PIXPUF installed that was affected by this particular GLSA. Can this just safely be ignored or is there something I am missing?

Genone · Posted: Sun Oct 24, 2004 1:10 am Post subject:

ignore it or update to gentoolkit-0.2.0_pre10.

salivian · Tux's lil' helper Joined: 15 Sep 2002 Posts: 91

After recent portage upgrade, I am forced to run gentoolkit-0.2.0_pre10, as pre8 failed on unicode errors.

yet pre10 is interested in emerging masked packages.
eg.
fixing 200410-04
>>> merging dev-php/mod_php-5.0.0
Calculating dependencies
!!! All ebuilds that could satisfy "=dev-php/mod_php-5.0.0" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-php/mod_php-5.0.0 (masked by: -x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
section 2.2 "Software Availability" in the Gentoo Handbook.

though emerge works perfectly.
vector etc # emerge -p mod_php
These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild NS ] dev-php/mod_php-4.3.9
[ebuild U ] dev-php/php-4.3.9 [4.3.8]

dr_dex · Posted: Fri Oct 29, 2004 10:45 am Post subject:

After upgrading to _pre10 I also get the same message about wanting to install masked packages, but I have a problem with mit-krb5.

Running 'emerge -vp mit-krb5' works as expected, so why isn't glsa-check picking this up correctly?

Anyone got a solution?

vdboor · Posted: Sat Nov 13, 2004 1:00 pm Post subject:

This is a bit weird: glsa-check tries to merge the same package again:

This is the output from glsa-check --pretent:

Genone · Posted: Sun Nov 14, 2004 5:21 am Post subject:

Nah, we're probably removing support for AUTOCLEAN=no completely as I don't see any real use for it anymore.

vdboor · Posted: Sun Nov 14, 2004 11:31 am Post subject:

Gentree · Posted: Sun Dec 05, 2004 10:18 am Post subject:

Gentree · Posted: Sun Dec 05, 2004 10:24 am Post subject:

I have a similar pb to earlier posts with a masked package.

in my case ghostscript-7.0.1-r7 had a bug that screwed up CUPS so I had to mask it.

I dont understand the workings of glsa yet but it seems that maybe it should cater for this sort of situation.

HTH

_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

Genone · Posted: Mon Dec 06, 2004 7:39 am Post subject:

Gentree · Posted: Mon Dec 06, 2004 9:28 pm Post subject:

Thanks for clearing that up.

In fact I checked and I have AUTOCLEAN commented out , and it does the 5 4 3 2 1 bit and removes the old version.

So my issue remains that with a package masked locally for a specific bug I can no longer use glsa-check:

gentoo_lan · Posted: Wed Dec 08, 2004 10:18 pm Post subject:

glsa-check --pretend all gives me this item to fix:

Genone · Posted: Thu Dec 09, 2004 1:44 am Post subject:

gentoo_lan · Posted: Thu Dec 09, 2004 3:13 am Post subject:

Thanks that worked perfectly.

vdboor · Posted: Sun Dec 12, 2004 2:46 pm Post subject:

I noticed how glsa-check tried to emerge "media-libs/pdflib-5.0.4_p1" to fix GLSA 200412-02. Considering this output from etcat -v I get the feeling something is wrong here, shoudn't glsa-check emerge media-libs/pdflib-5.0.4_p1-r1 instead..??

Gentree · Posted: Mon Dec 20, 2004 12:23 pm Post subject:

I'm getting wierd *pdf* stuff as well:

glsa-check -t all

pulls up 200410-30 which wants to emerge gpdf-2.8.0-r2.

I dont even have this in world or any deps or on the system !!

Why is it trying to "upgrade" from a security risk I dont even have?

THx

_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

Genone · Posted: Wed Dec 22, 2004 10:53 pm Post subject:

Ok, first thing: You whould use the "new" keyword, not the "all" keyword (the difference is that "all" also checks GLSAs that are already marked as fixed). The pdflib issue sounds right, glsa-check will always use the lowest unaffected version, it doesn't necessarily do the same as the GLSA resolution says.

The situation with the pdflib downgrade is just the usual SLOT issue, you have to remove the older 4.x versions manually for now and run revdep-rebuild.

Gentree · Posted: Thu Jan 13, 2005 12:48 am Post subject: