View previous topic :: View next topic |
Author |
Message |
soehest n00b
Joined: 30 Aug 2007 Posts: 15
|
Posted: Mon Dec 29, 2014 11:46 pm Post subject: glsa-check not doing it for me. |
|
|
While testing the tool glsa-check I have come to the conclusion that I am either using it wrong or it is simple not working:
I am running a crontab check with glsa-check included to check if system has any programs listed on the glsa page (http://www.gentoo.org/security/en/glsa/index.xml). I was puzzled as I was not notified on the recent ntp vulnerability but thought it was a error on my part so I decided to test it a bit further. As the package sys-apps/file was just marked as well i am using this as a test case. It seems that versions below 5.21 are affected so i just used package mask to install version 5.19.
Code: |
gentoo gentoolkit # glsa-check -l all | grep 201408-08
201408-08 [U] file: Denial of Service ( sys-apps/file )
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.
gentoo gentoolkit # file -v
file-5.19
magic file from /usr/share/misc/magic
gentoo gentoolkit #
|
As seen file is not being marked as affected on the system. So what am I missing, and why does it not show affected packages?
Best Regards |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Dec 30, 2014 12:12 am Post subject: |
|
|
Because you update regularly.
The newest version of most packages is unaffected since you don't want to publicize vulnerabilities until you fix the problem. Basically, you already solved the problem without knowing it. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
soehest n00b
Joined: 30 Aug 2007 Posts: 15
|
Posted: Tue Dec 30, 2014 10:41 am Post subject: |
|
|
The Doctor wrote: | Because you update regularly.
|
Thanks for your reply. You are correct. I missed one important information when using glsa-check. From the man page:
Code: |
Note: In order for this tool to be effective, you must regularly sync your local portage tree.
|
It seems that the list from glsa is pulled when doing a sync. I was under the impression that it was a "stand alone" tool i could just run without doing anything else. Thinking about it, it does make sense that it requires a local sync. I better update my crontab jobs to include sync Thanks
Best Regards |
|
Back to top |
|
|
|