Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
201110-22: cannot fix GLSA, no unaffected packages available
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
randalla
Tux's lil' helper
Tux's lil' helper


Joined: 14 Oct 2008
Posts: 79
Location: Seattle, WA

PostPosted: Mon Mar 05, 2012 2:30 am    Post subject: 201110-22: cannot fix GLSA, no unaffected packages available Reply with quote

Haven't run into this before and would appreciate some help. I have a GLSA, 201110-22, that is reporting that I'm vulnerable, yet when I go to fix it, it says no packages are affected. Interestingly, this is only happening on my amd64 servers, and not my x86 servers.

Of my 11 servers, 4 are x86 and 7 are amd64. All of them run postgresql-base-8.4.11, with one having postgresql-base=9.1.3 which is amd64. Of those x86 servers, two run postgresql-server-8.4.11. Of the amd64 servers, 4 run postgresql-server-8.4.11, and 1 of them also has postgresql-server-9.1.3, but with 8.4 as the selected slot. All of the amd64 servers are reporting that they are affected by 201110-22, for either the postrgresql-server or the postgresql-base packages.

Specifically, here's what I'm seeing:

# glsa-check -t all
This system is affected by the following GLSAs:
201110-22

# glsa-check -f 201110-22
Fixing GLSA 201110-22
>>> cannot fix GLSA, no unaffected packages available

(all production servers):
# qpkg postgresql-base postgresql-server
- dev-db/postgresql-server-8.4.11: 5296 kB
- dev-db/postgresql-base-8.4.11: 2383 kB
* Packages can be found in /var/tmp/binpkgs

(dev server):
# qpkg postgresql-server postgresql-base
- dev-db/postgresql-server-8.4.11: 5216 kB
- dev-db/postgresql-server-9.1.3: 5635 kB
- dev-db/postgresql-base-8.4.11: 2381 kB
- dev-db/postgresql-base-9.1.3: 2630 kB
* -2 packages could not be matched :/ <-- not sure what this is all about
* Packages can be found in /var/tmp/binpkgs

I don't think it matters in this case here directly, but my 8.4 servers have postgresql-server and postgresql-base >= 9.0.0 masked in /etc/portage/package.mask. I don't think it matters because my dev server, doesn't have this masking, and it has both 9.1.3 and 8.4.11 installed and it's still affected. I was masking because even though I had my world entries like so:

dev-db/postgresql-base:8.4
dev-db/postgresql-server:8.4

My emerge updates were trying to bring in 9.x, where I wasn't ready to go through testing on that (PHP was bringing it in as a dependency).

Anyway, long story short, anyone have any ideas?
Back to top
View user's profile Send private message
Telemin
l33t
l33t


Joined: 25 Aug 2005
Posts: 734
Location: Glasgow, UK

PostPosted: Mon Mar 05, 2012 9:37 pm    Post subject: Reply with quote

Hi, I'm not sure but odds are that the behaviour of glsa-check is to look for potential updates, and not to consider downgrades. Looking at the actual GLSA (link) it seems that 8.4.10(-r1) is safe provided there are no other regressions that will break your current server setups.

Also the reason your dev server is affected is that GLSA still can't match an update for the vulnerable :8.4 slot even though the :9 slot is clean. I imagine that the glsa warning on your dev server will go away if you emerge -C postgresql-server:8.4

-Telemin-
_________________
The Geek formerly known as -Freestyling-
When you feel your problem has been solved please add [Solved] to the topic title.
Please adopt an unanswered post
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum