Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516422 - app-portage/gentoolkit-0.3.0.8-r2 - glsa-check ignores release which is not affected
Summary: app-portage/gentoolkit-0.3.0.8-r2 - glsa-check ignores release which is not a...
Status: RESOLVED CANTFIX
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Tools (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Portage Tools Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-05 10:30 UTC by Heinrich Götzger
Modified: 2014-07-05 18:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Heinrich Götzger 2014-07-05 10:30:38 UTC
# glsa-check -tv all	
gives me (among others)

201312-03 [N] [remote  ] OpenSSL: Multiple Vulnerabilities ( dev-libs/openssl-0.9.8z_p1-r1 dev-libs/openssl-1.0.1h-r1 )

checking my installation gives me:

# eix dev-libs/openssl
[I] dev-libs/openssl
     Available versions: 
     (0.9.8) 0.9.8y ~0.9.8y-r1 0.9.8z_p1-r1 ~0.9.8z_p1-r2
     (0)    [M]1.0.0j 1.0.0m 1.0.1g ~1.0.1g-r1 1.0.1h-r1 ~1.0.1h-r2 **1.0.2_beta1-r2 **1.0.2_beta1-r3
       {bindist gmp kerberos rfc3779 sse2 static-libs test +tls-heartbeat vanilla zlib ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32"}
     Installed versions:  0.9.8z_p1-r1(0.9.8)(18:56:11 06/24/14)(sse2 zlib -bindist -gmp -kerberos -test) 1.0.1h-r1(09:51:09 06/06/14)(sse2 tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs -test -vanilla)
     Homepage:            http://www.openssl.org/
     Description:         full-strength general purpose cryptography library (including SSL and TLS) 


So I'm not sure if this is correct ot not, my understand would be that 0.9.8z_p1-r1 is greater then 0.9.8y.

I'm using: 
# /usr/bin/glsa-check --version
glsa-check (0.3.0.8-r2)
Author: Marius Mauch <genone@gentoo.org>
This program is licensed under the GPL, version 2


Has been discussed in German forum already: http://forums.gentoo.org/viewtopic-t-994796.html?sid=0b90508aa798befee39f07b7bc258206

Thanks

Heinrich

Reproducible: Always




# emerge --info
Portage 2.2.10 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.17, 3.10.32-gentoo-io x86_64)
=================================================================
System uname: Linux-3.10.32-gentoo-io-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4600+-with-gentoo-2.2
KiB Mem:     8198940 total,   5335776 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of tree: Sat, 05 Jul 2014 09:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.5-r3, 3.2.5-r3, 3.3.3
dev-util/cmake:           2.8.12.2
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13::<unknown repository>, 2.69
sys-devel/automake:       1.11.6, 1.12.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.5.4, 4.6.3, 4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo local-repo
Installed sets: @system
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.0/conf /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=athlon64 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://far http://boo http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo http://pandemonium.tiscali.de/pub/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ ftp://ftp.solnet.ch/mirror/Gentoo ftp://mirrors.64hosting.com/pub/mirrors/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror"
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl alsa amd64 apache2 apm arts bash-completion berkdb bitmap-fonts bzip2 cdda cddb cdparanoia cdr cli cracklib crypt cups cxx dbus dri dvd dvdr dvdread evms2 exif firefox foomaticdb fortran gdbm gif gnome gphoto2 gtk gtk2 iconv imagemagick imlib ipv6 java jikes jpeg junit kde mmx modules mp3 mpeg mplayer multilib ncurses nls nptl opengl openmp pam pcre pdf png ppds qt3 qt3support qt4 readline scanner semantic-desktop session sqlite sse sse2 ssl svg tcpd tidy tiff truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax win32codecs xine xinerama xml xulrunner xv zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nvidia nv vesa fbdev" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2014-07-05 17:45:37 UTC
The current GLSA format doesn't support slots at all. New unaffected versions on "lower" slots have to be added manually to the advisories. That's not the fault of the tool, rather of the advisory format.

A replacement advisory format is currently in development that will support slots.

Not an issue in the tool, bug not useful for tracking any statuses -> closing.
Comment 2 Heinrich Götzger 2014-07-05 18:33:29 UTC
Alex,

I didn't knew that. So it's alright as it is. Thanks.

Heinrich