View previous topic :: View next topic |
Author |
Message |
planet-admin Apprentice
Joined: 27 Mar 2004 Posts: 213 Location: Boise, ID
|
|
Back to top |
|
|
saellaven l33t
Joined: 23 Jul 2006 Posts: 646
|
Posted: Wed Jan 28, 2015 12:43 am Post subject: |
|
|
>=sys-libs/glibc-2.18 is safe. 2.19-r1 is stable on all platforms except mips (where no glibc is stable) |
|
Back to top |
|
|
P1neapple n00b
Joined: 18 Jul 2014 Posts: 35
|
Posted: Wed Jan 28, 2015 1:23 am Post subject: |
|
|
So we are safe if we use 2.19-r1? Good. _________________ Gentoo currently running in Virtualbox, hoping to switch to real hardware soon... |
|
Back to top |
|
|
titanofold Developer
Joined: 30 Dec 2003 Posts: 235 Location: Bryson City, NC USA
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Jan 28, 2015 1:04 pm Post subject: |
|
|
titanofold wrote: | P1neapple wrote: | So we are safe if we use 2.19-r1? Good. |
You are safe if you're using 2.18 even. |
Back in August I jumped from 2.17 to 2.19. Someone else on Phoronix said that 2.19 actually became stable on July 29. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
shanew n00b
Joined: 16 Sep 2006 Posts: 34 Location: Austin, TX
|
Posted: Wed Jan 28, 2015 9:07 pm Post subject: |
|
|
My impression, though, is that anything statically compiled with a vulnerable version of glibc will still be vulnerable regardless of the glibc version currently installed on your system. Admittedly, statically compiled packages are probably pretty rare on a "normal" computer, but embedded systems or installs that need to squeeze into small footprints might be another story.
So, two questions: 1. Can someone confirm or deny my impression? 2. How would one go about finding statically linked binaries on a gentoo system?
seemed like a good start, but that only tells me whether a package has such a flag, not whether it's set. Code: | eix '-I*' -e --installed-with-use static --format '<installedversions:NAMEVERSION>' | seems to be closer, but I wonder if I'm still missing something?
Oh, and I guess even with that I'd like a way to check what version of glibc it was compiled against, and I don't even know where to start with that. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Fri Jan 30, 2015 2:36 am Post subject: |
|
|
Since the most recent entry currently on that page is from December, perhaps the maintainer for that page simply has not had time to update it. Also, as a rolling release distribution, any well maintained Gentoo system will already have upgraded to the fixed glibc version before the bug was announced as a security issue, so a GLSA is far less urgent than in the case of bugs like Heartbleed and Shellshock where the default configuration of an updated system was easily vulnerable at the time those bugs were announced. |
|
Back to top |
|
|
F_ Tux's lil' helper
Joined: 31 Dec 2006 Posts: 142
|
Posted: Fri Jan 30, 2015 7:48 pm Post subject: |
|
|
See the Gentoo vulnerability discussions here:
Best Regards,
F_ |
|
Back to top |
|
|
|