| View previous topic :: View next topic |
| Author |
Message |
planet-admin
Apprentice
Joined: 27 Mar 2004
Posts: 213
Location: Boise, ID
|
|
| Back to top |
|
 |
saellaven
l33t
Joined: 23 Jul 2006
Posts: 646
|
 Posted: Wed Jan 28, 2015 12:43 am Post subject: |
 |
|
| >=sys-libs/glibc-2.18 is safe. 2.19-r1 is stable on all platforms except mips (where no glibc is stable) |
|
| Back to top |
|
|
P1neapple
n00b
Joined: 18 Jul 2014
Posts: 35
|
| Posted: Wed Jan 28, 2015 1:23 am Post subject: |
|
|
So we are safe if we use 2.19-r1? Good.
_________________
Gentoo currently running in Virtualbox, hoping to switch to real hardware soon... |
|
| Back to top |
|
|
titanofold
Developer
Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA
|
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Wed Jan 28, 2015 1:04 pm Post subject: |
|
|
| titanofold wrote: | | P1neapple wrote: | | So we are safe if we use 2.19-r1? Good. |
You are safe if you're using 2.18 even. |
Back in August I jumped from 2.17 to 2.19. Someone else on Phoronix said that 2.19 actually became stable on July 29.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
shanew
n00b
Joined: 16 Sep 2006
Posts: 34
Location: Austin, TX
|
| Posted: Wed Jan 28, 2015 9:07 pm Post subject: |
|
|
My impression, though, is that anything statically compiled with a vulnerable version of glibc will still be vulnerable regardless of the glibc version currently installed on your system. Admittedly, statically compiled packages are probably pretty rare on a "normal" computer, but embedded systems or installs that need to squeeze into small footprints might be another story.
So, two questions: 1. Can someone confirm or deny my impression? 2. How would one go about finding statically linked binaries on a gentoo system?
seemed like a good start, but that only tells me whether a package has such a flag, not whether it's set. | Code: | | eix '-I*' -e --installed-with-use static --format '<installedversions:NAMEVERSION>' |
seems to be closer, but I wonder if I'm still missing something?
Oh, and I guess even with that I'd like a way to check what version of glibc it was compiled against, and I don't even know where to start with that. |
|
| Back to top |
|
|
grant123
Veteran
Joined: 23 Mar 2005
Posts: 1080
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21631
|
| Posted: Fri Jan 30, 2015 2:36 am Post subject: |
|
|
| Since the most recent entry currently on that page is from December, perhaps the maintainer for that page simply has not had time to update it. Also, as a rolling release distribution, any well maintained Gentoo system will already have upgraded to the fixed glibc version before the bug was announced as a security issue, so a GLSA is far less urgent than in the case of bugs like Heartbleed and Shellshock where the default configuration of an updated system was easily vulnerable at the time those bugs were announced. |
|
| Back to top |
|
|
F_
Tux's lil' helper
Joined: 31 Dec 2006
Posts: 142
|
| Posted: Fri Jan 30, 2015 7:48 pm Post subject: |
|
|
See the Gentoo vulnerability discussions here:
Best Regards,
F_ |
|
| Back to top |
|
|
|
Networking & Security
