Is there a glsa-check equivalent for funtoo

[mointrigue]

Is there an equivalent function in funtoo for glsa-check? I'm still getting the hang of kits vs the portage tree, but as far as I can tell glsa-check always returns nothing since the meta-repo doesn't include the glsa notices. 

[palica]

glsa-check doesn't provide an up-to-date information for Funtoo. Funtoo also backports lots of security fixes for the forked packages, so the information that you get with --list affected could be inaccurate or wrong.

There is a open bug for glsa-check tool for funtoo

in BFO https://bugs.funtoo.org/browse/FL-3832?jql=text ~ "glsa"

so you can subscribe to the bug and get update once such a tool is ready for funtoo. Until then you will have to check gentoo's GLSA list and check the README.rst in the kit of the package for example here:

https://github.com/funtoo/core-kit/blob/1.0-prime/README.rst

Funtoo also tries to audit forked ebuilds every 30 days. You can see all stale packages on this webpage:

http://ports.funtoo.org/stale/

If you want to help and use any of the packages that are listed as "stale" you can check if they are affected by any know vulnerabilities and report those on https://bugs.funtoo.org where they will be squashed as fast as possible.

Thank you in advance.

[mointrigue]

OK, that's weird. It seems like for days even if I ran 

sudo glsa-check --list all

I'd get nothing. I mean, I'd expect to see that if I used "affected". But today if I run the same command I get output, but nothing after April 2017, which does not match with GLSA announcements . This snippet was captured right after today's ego sync.

 

<snip...>
  201702-29 [U] PHP: Multiple vulnerabilities ( dev-lang/php )
201702-30 [U] tcpdump: Multiple vulnerabilities ( net-analyzer/tcpdump )
201702-31 [U] GPL Ghostscript: Multiple vulnerabilities ( app-text/ghostscript-gpl )
201702-32 [U] Ruby Archive::Tar::Minitar: Directory traversal ( dev-ruby/archive-tar-minitar )
201703-01 [U] OpenOffice: User-assisted execution of arbitrary code ( app-office/openoffice-bin )
201703-02 [U] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
201703-03 [U] PuTTY: Buffer overflow ( net-misc/putty )
201703-04 [U] cURL: Certificate validation error ( net-misc/curl )
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201703-05 [U] GNU Libtasn1: Denial of Service ( dev-libs/libtasn1 )
201703-06 [U] Deluge: Remote execution of arbitrary code ( net-p2p/deluge )
201703-07 [U] Xen: Privilege Escalation ( app-emulation/xen-tools )
201704-01 [U] QEMU: Multiple vulnerabilities ( app-emulation/qemu )
201704-02 [U] Chromium: Multiple vulnerabilities ( www-client/chromium )
201704-03 [U] X.Org: Multiple vulnerabilities ( x11-base/xorg-server  x11-libs/libICE  x11-libs/libXdmcp ... )

 

 

[mointrigue]

4 hours ago, palica said:

glsa-check doesn't provide an up-to-date information for Funtoo. Funtoo also backports lots of security fixes for the forked packages, so the information that you get with --list affected could be inaccurate or wrong.

There is a open bug for glsa-check tool for funtoo

in BFO https://bugs.funtoo.org/browse/FL-3832?jql=text ~ "glsa"

so you can subscribe to the bug and get update once such a tool is ready for funtoo. Until then you will have to check gentoo's GLSA list and check the README.rst in the kit of the package for example here:

https://github.com/funtoo/core-kit/blob/1.0-prime/README.rst

Funtoo also tries to audit forked ebuilds every 30 days. You can see all stale packages on this webpage:

http://ports.funtoo.org/stale/

If you want to help and use any of the packages that are listed as "stale" you can check if they are affected by any know vulnerabilities and report those on https://bugs.funtoo.org where they will be squashed as fast as possible.

Thank you in advance.

Thanks!

[Oleg Vinichenko]

there is no native GLSA-like tool in Funtoo but it's being working on. GLSA tool will work with Funtoo but it will produce some false positives. In Gentoo, security fixes are normally performed by bump to a certain upstream version which is acceptable policy but not ideal. In Funtoo, for the ebuiilds that are known of giving problems, security fixes are backported in very much Debian or Red hat manner. Real example:

https://glsa.gentoo.org/glsa/201801-17

states on updating to version 0.57.0-r1. In Funtoo, all mentioned problems are fixed in version 0.52.0-r1. poppler is known of having unstable ABI and it's often an intrusive update on users boxes (not always).

[znavko]

# eix glsa
* net-analyzer/nagios-check_glsa2 [1]
     Доступные версии:      20120930-r1
     Домашняя страница:     https://github.com/craig/check_glsa2
     Описание:              Nagios check script for GLSAs (Gentoo Linux Security Advisories)

[1] "net-kit" /var/git/meta-repo/kits/net-kit

# emerge --searchdesc glsa
  
[ Results for search key : glsa ]
Searching...

*  net-analyzer/nagios-check_glsa2
      Latest version available: 20120930-r1
      Latest version installed: [ Not Installed ]
      Repository:    net-kit
      Size of files: 2 KiB
      Homepage:      https://github.com/craig/check_glsa2
      Description:   Nagios check script for GLSAs (Gentoo Linux Security Advisories)
      License:       GPL-2 BSD-2

*  security
      Description:   Package set that includes all packages affected by an unapplied GLSA

[ Applications found : 2 ]

https://github.com/funtoo/net-kit/tree/master/net-analyzer/nagios-check_glsa2