On Thu, 29 Jan 2015 16:53:43 -0800 Grant wrote: > glsa-check is working fine, it was a slotted issue. Still curious > about a way to check for statically linked packages.
There is no simple solution for this... USE flags static and static-libs handle cases where there is a choice between static and non-static version. In theory it is possible that some package (like boot loader helper) can be linked only statically, thus you will not be able to find it by USE flag. Though probability of this is very low, and due to a special nature of such binaries (or libraries) attack surface is even less. So you may assume your system reasonable secure if: - all GLSAs are applied; - there are no preserved libraries left (all packages using vulnerable libs must be rebuilt); - all static binaries and libraries depending directly or indirectly on vulnerable packages are rebuild; - there are no running processes using deleted files (reboot is a brute, but effective way to do this, otherwise one should grep lsof -n output for "(deleted)" files in use). - kernel should be updated to the latest version in branch if it is still supported, or upgrade to another branch, preferably LTS, if it is EOLed already. I have not seen GLSAs for kernel in ages, though old kernels definitely have serious security issues, and they may be far more serious than Ghost glibc bug. Best regards, Andrew Savchenko
pgpgafG4_tW6U.pgp
Description: PGP signature