Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
glsa-check not doing it for me.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
soehest
n00b
n00b


Joined: 30 Aug 2007
Posts: 15

PostPosted: Mon Dec 29, 2014 11:46 pm    Post subject: glsa-check not doing it for me. Reply with quote

While testing the tool glsa-check I have come to the conclusion that I am either using it wrong or it is simple not working:
I am running a crontab check with glsa-check included to check if system has any programs listed on the glsa page (http://www.gentoo.org/security/en/glsa/index.xml). I was puzzled as I was not notified on the recent ntp vulnerability but thought it was a error on my part so I decided to test it a bit further. As the package sys-apps/file was just marked as well i am using this as a test case. It seems that versions below 5.21 are affected so i just used package mask to install version 5.19.

Code:

gentoo gentoolkit # glsa-check -l all | grep 201408-08
201408-08 [U] file: Denial of Service ( sys-apps/file )
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

gentoo gentoolkit # file -v
file-5.19
magic file from /usr/share/misc/magic
gentoo gentoolkit #


As seen file is not being marked as affected on the system. So what am I missing, and why does it not show affected packages?

Best Regards
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2678

PostPosted: Tue Dec 30, 2014 12:12 am    Post subject: Reply with quote

Because you update regularly.

The newest version of most packages is unaffected since you don't want to publicize vulnerabilities until you fix the problem. Basically, you already solved the problem without knowing it.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
soehest
n00b
n00b


Joined: 30 Aug 2007
Posts: 15

PostPosted: Tue Dec 30, 2014 10:41 am    Post subject: Reply with quote

The Doctor wrote:
Because you update regularly.


Thanks for your reply. You are correct. I missed one important information when using glsa-check. From the man page:

Code:

Note: In order for this tool to be effective, you must regularly sync your local portage tree.


It seems that the list from glsa is pulled when doing a sync. I was under the impression that it was a "stand alone" tool i could just run without doing anything else. Thinking about it, it does make sense that it requires a local sync. I better update my crontab jobs to include sync ;-) Thanks :-)

Best Regards
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum