Summary: | GLSA: add flag --continue-on-error in conjunction with --fix | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Ján Regeš <jan.reges> |
Component: | Tools | Assignee: | Portage team <dev-portage> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Btw, for now i simulate "--continue-on-error" by this command: glsa-check -t all | while read line ; do glsa-check -f $line ; done This issue is related to https://bugs.gentoo.org/show_bug.cgi?id=585462 GLSA reports also really-unaffected GLSA. For example.. I have installed OpenSSL-1.0.2k and glsa-check reports affected "201603-15" and "201612-16" which was already fixed in OpenSSL-1.0.2j. When this bug will be fixed, problem "cannot fix GLSA, no unaffected packages available" does not appear. CCing portage team too because I don't know which is the "one true glsa-check" these days. :-) Hi, portage team.. could you answer to this issue please?
Glsa-check does not work properly. It reports also unaffected vulnerabilities.
See example below with OpenSSL. I have OpenSSL 1.0.2k, but glsa-check reports some old vulnerabilities from previous versions.
Thank you.
> elk ~ # glsa-check --list
> [A] means this GLSA was marked as applied (injected),
> [U] means the system is not affected and
> [N] indicates that the system might be affected.
>
> 201603-15 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> 201612-16 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> 201702-07 [N] OpenSSL: Multiple vulnerabilities ( dev-libs/openssl )
> elk ~ # emerge -av dev-libs/openssl
>
> * IMPORTANT: 15 news items need reading for repository 'gentoo'.
> * Use eselect news read to view new items.
>
> These are the packages that would be merged, in order:
>
> Calculating dependencies... done!
> [ebuild R ] dev-libs/openssl-1.0.2k::gentoo USE="asm sslv3 tls heartbeat zlib -bindist -gmp -kerberos -rfc3779 -sctp -sslv2 -static-libs {-> test} -vanilla" ABI_X86="(64) -32 (-x32)" CPU_FLAGS_X86="(sse2)" 0 KiB
>
> Total: 1 package (1 reinstall), Size of downloads: 0 KiB</nowiki>
You might still have a vulnerable version of dev-libs/openssl in the 0.9.8 slot. Try this: emerge -pv --nodeps dev-libs/openssl:0.9.8 glsa-check is included with >=sys-apps/portage-2.3.72 (bug 463952). |
Hi, when i call "glsa-check --fix all" (and there are 10 GLSAs), script exits on first GLSA with error "cannot fix GLSA, no unaffected packages available". In this case, i have to run one-by-one "glsa-check --fix NUMBER". When there will be flag like a "--continue-on-error", it would be better. Thank you. DETAIL: elk ~ # glsa-check -t all This system is affected by the following GLSAs: 201603-15 201612-16 201701-74 201701-47 201701-37 201701-46 201701-56 elk ~ # glsa-check -f $(glsa-check -t all) This system is affected by the following GLSAs: Fixing GLSA 201603-15 >>> cannot fix GLSA, no unaffected packages available elk ~ #