I keep my systems reasonably up to date and kind of assume that regular syncing and updating will keep it safe.
However today I started looking at glsa-check, just to suss it out. However either I am doing something wrong, or it is stupid. For example GLSA 200502-09 relates to python. It says that the problem is solved if python is >=2.3.4-r1. I have 2.3.4-r1 installed. However glsa -t 200502-09 tells me that the glsa applies to my system. There are several other similar examples. [EMAIL PROTECTED] nick $ glsa-check -d 200502-09 WARNING: This tool is completely new and not very tested, so it should not be used on production systems. It's mainly a test tool for the new GLSA release and distribution system, it's functionality will later be merged into emerge and equery. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using this tool AND before reporting a bug. GLSA 200502-09: Python: Arbitrary code execution through SimpleXMLRPCServer ============================================================================ Synopsis: Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. Announced on: February 08, 2005 Last revised on: February 08, 2005: 01 Affected package: dev-lang/python Affected archs: All Vulnerable: <=2.3.4 Unaffected: >=2.3.4-r1 >=~2.3.3-r2 >=~2.2.3-r6 Related bugs: 80592 Background: Python is an interpreted, interactive, object-oriented, cross-platform programming language. Description: Graham Dumpleton discovered that XML-RPC servers making use of the SimpleXMLRPCServer library that use the register_instance() method to register an object without a _dispatch() method are vulnerable to a flaw allowing to read or modify globals of the associated module. Impact: A remote attacker may be able to exploit the flaw in such XML-RPC servers to execute arbitrary code on the server host with the rights of the XML-RPC server. Workaround: Python users that don't make use of any SimpleXMLRPCServer-based XML-RPC servers, or making use of servers using only the register_function() method are not affected. Resolution: All Python users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose dev-lang/python References: CAN-2005-0089: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089 Python PSF-2005-001: http://www.python.org/security/PSF-2005-001/ -- Nick Rout <[EMAIL PROTECTED]> -- [email protected] mailing list
