Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Glsa: Are they still reliable?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Mon Jun 15, 2015 6:59 pm    Post subject: Glsa: Are they still reliable? Reply with quote

I just upgraded my server's openssl 1.0.1m to 1.0.1o. glsa-check -l didnt report any glsa. (Yes, there was no CVE, so no glsa, but on openssl i am sceptical). [3]

Now i worry, if the glsa system is still working .... in fact, i rely on it. I let the server do a daily sync and glsa-check -l to inform me, when there are any urgent issues.

In fact a few days/weeks ago, i noticed that my firefox on my desktop is vulnerable to the logjam attack [2], but glsa-check didn't report it and still don't report it as affected , despite the fact that there is a CVE [1]. Now, i ask again: Is the glsa system still reliable?

[1] https://bugs.gentoo.org/show_bug.cgi?id=550288#c5
[2] https://www.ssllabs.com/ssltest/viewMyClient.html
[3] https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES
Back to top
View user's profile Send private message
MarioCorleone
Guru
Guru


Joined: 29 Jun 2003
Posts: 327

PostPosted: Mon Jun 15, 2015 8:54 pm    Post subject: Reply with quote

I'm sure you know how to search https://forums.gentoo.org/viewtopic-t-1019570-highlight-.html
_________________
-Mario
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 418

PostPosted: Mon Jun 15, 2015 9:18 pm    Post subject: Reply with quote

That just affects the announce-subforum here in the forums.

I suspect there has been no glsa for firefox/logjam because glsa's are issued when a fixed version is stabilized, which is not the case yet. The version of dev-libs/nss with the backported patch (3.19-r1?) is not stable yet. I don't know why. Mozilla themselves seem to not care too much about logjam - Ubuntu's firefox 38.0.5 is still vulnerable according to https://weakdh.org/.

Try to update nss to 3.19-r1.
Back to top
View user's profile Send private message
yngwin
Retired Dev
Retired Dev


Joined: 19 Dec 2002
Posts: 4572
Location: Suzhou, China

PostPosted: Tue Jun 16, 2015 9:59 am    Post subject: Reply with quote

The GLSA system works just as well as it has always done. But you need to understand that a new advisory is only published after a fixed version is marked stable. This can take months. So especially if you are running a server, it is in my opinion not enough to rely on glsa-check. If there are any CVEs for software that you run, make sure you update to a fixed version as soon as it becomes available, even if it is not marked stable yet.
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Tue Jun 16, 2015 10:50 am    Post subject: Reply with quote

@yngwin: Thanks for the Explanation!

@others: Thanks for your Input too!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum