glsa-check can not determine same fixes. phpmyadmin was listed more then once. one of glsa have can but others remained. awstats 6.5 installed. glsa requires 6.4. before awstats upgrade awstats was 6.3. thinking to upgrade awstats due to glsa entry. glsa-check -p 200508-07 200510-16 200510-21 200512-03 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. Checking GLSA 200508-07 The following updates will be performed for this GLSA: net-www/awstats-6.5 (6.4) ********************************************************************** Checking GLSA 200510-16 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) ********************************************************************** Checking GLSA 200510-21 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) ********************************************************************** Checking GLSA 200512-03 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) emerge --info Portage 2.0.53 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.12-gentoo-r6 i686) ================================================================= System uname: 2.6.12-gentoo-r6 i686 Intel(R) Xeon(TM) CPU 2.80GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5-r2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i386-pc-linux-gnu" CFLAGS="-O2 -mcpu=pentium4 -march=pentium4 -fomit-frame-pointer -pipe" CHOST="i386-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=pentium4 -march=pentium4 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.ankara.edu.tr/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 apache2 apm arts audiofile avi berkdb bitmap-fonts bzip2 cdr crypt cups curl eds emboss encode expat foomaticdb fortran gd gdbm gif gmp gpm gstreamer gtk2 idn imap imlib ipv6 java jpeg lcms libg++ libwww mad maildir memlimit mhash mikmod mng motif mp3 mpeg mpm-prefork mysql ncurses nls ogg oggvorbis opengl oss pam pcre pdflib perl php png postgres python quicktime readline sasl sdl spell ssl tcpd tiff truetype truetype-fonts type1-fonts udev vhosts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
emerge -pv gentoolkit These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] app-portage/gentoolkit-0.2.0-r3 0 kB Total size of downloads: 0 kB
(In reply to comment #1) > Calculating dependencies ...done! > [ebuild R ] app-portage/gentoolkit-0.2.0-r3 0 kB Try with latest gentoolkit version (0.2.2_pre1) and reopen if it still does not work.
As it is production server environment. I do not prefer use masked packages. I emerged 0.2.2_pre1 emerge -pv gentoolkit These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] app-portage/gentoolkit-0.2.2_pre1 0 kB Total size of downloads: 0 kB glsa-check -p 200508-07 200510-16 200510-21 200512-03 Checking GLSA 200508-07 The following updates will be performed for this GLSA: net-www/awstats-6.5 (6.4) Checking GLSA 200510-16 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) Checking GLSA 200510-21 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) Checking GLSA 200512-03 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1)
*** Bug 117632 has been marked as a duplicate of this bug. ***
Using gentoolkit-0.2.2_pre1 it still has the same trouble not re-installing 200411-38 and 200506-14 everytime (Both install Blackdown jdk 1.4.2.02) glsa-check -p 200411-38 200506-14 Checking GLSA 200411-38 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.2.02) Checking GLSA 200506-14 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.2.02) emerge info Portage 2.0.53 (default-linux/amd64/2005.1, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-gentoo-r5 x86_64) ================================================================= System uname: 2.6.14-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -mtune=k8 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib64/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mtune=k8 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://sunsite.ualberta.ca/pub/unix/Linux/gentoo/ ftp://gentoo.risq.qc.ca/ ftp://gentoo.agsn.ca/ http://gentoo.mirrored.ca/ ftp://gentoo.mirrored.ca/ http://gentoo.osuosl.org/ ftp://sunsite.ualberta.ca/pub/unix/Linux/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/home/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa amd64 audiofile avi berkdb bitmap-fonts bonobo bzip2 cdr crypt cups curl dbus divx4linux doc dvd dvdr eds emboss encode esd exif expat fam ffmpeg flac foomaticdb fortran gd gdbm gif glut gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 java jpeg kde lcms lzw lzw-tiff mad mng mozilla mp3 mpeg ncurses nls nocd nptl offensive ogg oggvorbis opengl oss pam pcre pdflib perl png python qt quicktime readline real recode samba scanner sdl spell ssl tcltk tcpd tiff truetype truetype-fonts type1-fonts udev unicode usb userlocales vorbis xine xml xml2 xmms xpm xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Can anyone confirm this with --fix instead of --pretend (can't check myself right now). If not, someone with >=gentoolkit-0.2.1 please try the following EMERGE_OPTS="-p" glsa-check -f <glsa-list> and post the output here.
EMERGE_OPTS="-p" glsa-check -f 200411-38 200506-14 fixing 200411-38 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-java/blackdown-jdk-1.4.2.02 fixing 200506-14 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-java/blackdown-jdk-1.4.2.02
This is defintely related to slotting. I used blackdown-jdk to reproduce and I had to completely unmerge blackdown-jdk in order to reproduce. Simply installing 1.4.1-r1 with 1.4.2.02 already installed didn't cause the problem to exhibit itself. i.e 'glsa-check -p 200411-38 200506-14' had the following output: Checking GLSA 200411-38 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.1-r1) Checking GLSA 200506-14 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.1-r1) Steps to reproduce: 1. emerge --unmerge blackdown-jdk 2. emerge -v1 =dev-java/blackdown-jdk-1.4.1-r1 (version is affected by GLSA) 3. glsa-check -t 200411-38 200506-14 This system is affected by the following GLSA: 200506-14 4. glsa-check -f 200506-14 fixing 200506-14 >>> merging dev-java/blackdown-jdk-1.4.2.02 >>> dev-java/blackdown-jdk-1.4.2.02 merged. 5. equery list blackdown-jdk [ Searching for package 'blackdown-jdk' in all categories among: ] * installed packages [I--] [ ] dev-java/blackdown-jdk-1.4.1-r1 (1.4.1) [I--] [ ] dev-java/blackdown-jdk-1.4.2.02 (1.4.2) 6. glsa-check -p 200411-38 200506-14 Checking GLSA 200411-38 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.2.02) Checking GLSA 200506-14 The following updates will be performed for this GLSA: dev-java/blackdown-jdk-1.4.2.02 (1.4.2.02) 7. EMERGE_OPTS="-p" glsa-check -f 200411-38 200506-14 fixing 200411-38 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-java/blackdown-jdk-1.4.2.02 fixing 200506-14 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-java/blackdown-jdk-1.4.2.02
EMERGE_OPTS="-p" glsa-check -f 200508-07 200510-16 200510-21 200512-03 fixing 200508-07 >>> merging net-www/awstats-6.5 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] net-www/awstats-6.5 fixing 200510-16 >>> merging dev-db/phpmyadmin-2.7.0_p1 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-db/phpmyadmin-2.7.0_p1 fixing 200510-21 >>> merging dev-db/phpmyadmin-2.7.0_p1 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-db/phpmyadmin-2.7.0_p1 fixing 200512-03 >>> merging dev-db/phpmyadmin-2.7.0_p1 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] dev-db/phpmyadmin-2.7.0_p1 glsa-check -p 200508-07 200510-16 200510-21 200512-03 Checking GLSA 200508-07 The following updates will be performed for this GLSA: net-www/awstats-6.5 (6.4) Checking GLSA 200510-16 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) Checking GLSA 200510-21 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1) Checking GLSA 200512-03 The following updates will be performed for this GLSA: dev-db/phpmyadmin-2.7.0_p1 (2.7.0_p1)
Created attachment 76933 [details, diff] glsa-check.117550.patch This patch for glsa-check and the follwing patch for glsa.py fix the problem with --pretend not correctly showing the vulnerable version(s) of the packages that are installed
Created attachment 76934 [details, diff] glsa.py.117550.patch Patch for glsa.py
After aplying both patches it results as: EMERGE_OPTS="-p" glsa-check -f 200411-38 200506-14 fixing 200411-38 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild UD] dev-java/blackdown-jdk-1.4.2.02 [1.4.2.03] fixing 200506-14 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild UD] dev-java/blackdown-jdk-1.4.2.02 [1.4.2.03] Here's the emerge -s blackdown-jdk dev-java/blackdown-jdk Latest version available: 1.4.2.03 Latest version installed: 1.4.2.03 Size of downloaded files: 66,770 kB Homepage: http://www.blackdown.org Description: Blackdown Java Development Kit License: sun-bcla-java-vm Still downgrades it everytime. The next emerge -uDv kicks it back up to v. 1.4.2.03.
Run glsa-check --pretend 200411-38 200506-14 and it will tell you which version(s) of blackdown-jdk are installed and listed as vulnerable. Follow that with an emerge --unmerge =blackdown-jdk-<vulnerable version> After unmerging the vulnerable versions, glsa-check will stop trying to emerge dev-java/blackdown-jdk-1.4.2.02 to fix the vulnerability.
blackdown-jdk-1.4.02 isn't installed on my system. emerge -C blackdown-jdk-1.4.2.02 --- Couldn't find blackdown-jdk-1.4.2.02 to unmerge. >>> unmerge: No packages selected for removal. emerge -C dev-java/blackdown-jdk-1.4.2.02 --- Couldn't find dev-java/blackdown-jdk-1.4.2.02 to unmerge. >>> unmerge: No packages selected for removal. EMERGE_OPTS="-p" glsa-check -f 200411-38 200506-14 fixing 200411-38 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild UD] dev-java/blackdown-jdk-1.4.2.02 [1.4.2.03] fixing 200506-14 >>> merging dev-java/blackdown-jdk-1.4.2.02 These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild UD] dev-java/blackdown-jdk-1.4.2.02 [1.4.2.03] It still seems to think that it's the one true jdk that should be installed. java-config --jdk-home /opt/blackdown-jdk-1.4.2.03 Blah opt # ls -l total 40 drwxr-xr-x 3 root root 4096 Dec 30 17:52 OpenOffice.org drwxr-xr-x 2 root root 48 Jan 10 18:20 bin drwxr-xr-x 8 root root 48 Jan 11 17:44 blackdown-jdk-1.4.2.03 drwxr-xr-x 6 root root 32 Jan 9 08:51 blackdown-jre-1.4.2.03 drwxr-x--- 5 root games 4096 Jan 11 12:37 doom3 drwxr-xr-x 10 foldingathome nogroup 4096 Jan 10 08:38 foldingathome drwxr-xr-x 6 root root 32 Dec 30 17:11 java32 drwxr-xr-x 3 root root 8 Mar 12 2005 netscape drwxrwx--- 30 root games 4096 Jan 10 15:24 nwn drwxr-xr-x 5 root root 24 Jul 1 2005 rar drwxr-xr-x 17 root root 4096 Jun 19 2005 ut2004
Unmerging all instances of blackdown-jdk and blackdown-jre and them re-emerging them fixed the problem. EMERGE_OPTS="-p" glsa-check -f 200411-38 200506-14 fixing 200411-38 fixing 200506-14
r403 of glsa-check has some support for checking $SLOT when selecting/displaying upgrades that should take care of this.
Released in gentoolkit-0.2.4_pre6