Hi, i have been reading a little more on the libc vulnerability now called ghost. I have a question:
Does using something like the Grsecurity kernel helps prevent these type of vulnerabilities? In Ghost case, a Grsecurity kernel would help? Stephen: doesn't apticron does the same job as your script? 2015-01-28 13:48 GMT-06:00 Stephen Dowdy <sdo...@ucar.edu>: > On Wed, Jan 28, 2015 at 1:59 AM, Paul Wise <p...@debian.org> wrote: > > On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote: > ... > > You could install and configure the unattended-upgrades package > > instead of using apticron. Please note that you still need to do > > reboots after Linux kernel updates and relevant restart processes > > after library upgrades. You can use needrestart (jessie and later) or > > checkrestart (from debian-goodies) to find out which processes to > > restart. > > ISTM, this libc6 update should have triggered a > /var/run/reboot-required creation, but it didn't. (yeah, it's > debatable, but for the average person, you probably want them to > recognize a reboot is safest after a significant 'libc' security > update -- else more savvy users can figure out to restart critical > daemons if needed) > > > Here's a script, 'apt-whatsup', i use for showing me what patches are > outstanding (packages that are upgradeable and current and upgradeable > versions). It operates similarly to 'aptitude's 'versions' argument, > but in a more concise layout. It allows selection of security-only > updates via a '-s' option. > > AFAICT, a *security* update is only a security update because of where > it comes from (sources.list) by convention/decree. > It's just the same as any other package (the package metadata does not > contain anything identifying the package as a "security" update). > > So, my script may need some adjustment for your environment if your > Debian-Security 'deb' source doesn't look like mine. Or, if you're > using 'squeeze-lts', which is presumed to be 'security only' updates > (Release file 'Label' field won't have "Security" in it), or if you > have 3rd party security repos, or a multi-release (e.g. > stable+testing)... In that case, you should probably re-architect to > have an /etc/apt/source.list.d/security-updates.list that contains > all your security repos which my script will use directly (if it > exists), rather than trying to ascertain which sources are security > sources and creating a temp sources.list. > > If anyone has more insight, let me know. > > # Get help > # ./apt-whatsup -h > apt-whatsup: > apt-whatsup [ -d ] [ -n ] [ -s ] [ -k | {search-pattern} ] > > This program reports all the outstanding Debian Package Updates > for this system. > > -d debug > -k display kernel only updates pending > -n don't do 'aptitude update' phase > -s display security updates only > {search-pattern} any apt-regex search pattern > e.g. "cups", "^apache2$" > > # See what packages and versions (current/upgradeable) are in play for > upgradeable packages > # ./apt-whatsup > Warning, no aptitude update performed, results may be inaccurate... > apache2-mpm-worker 2.2.22-13+deb7u3 > 2.2.22-13+deb7u4 > apache2-utils 2.2.22-13+deb7u3 > 2.2.22-13+deb7u4 > apache2.2-bin 2.2.22-13+deb7u3 > 2.2.22-13+deb7u4 > apache2.2-common 2.2.22-13+deb7u3 > 2.2.22-13+deb7u4 > ... > > # How many upgradable packages are outstanding (use '-n' to avoid > aptitude update, since > # we already did that implicitly in the previous invocation) > # ./apt-whatsup -n | wc -l > Warning, no aptitude update performed, results may be inaccurate... > 79 > > # How many upgradable packages are from security repos > # ./apt-whatsup -s -n | wc -l > Warning, no aptitude update performed, results may be inaccurate... > 67 > > # see if we have a glibc/libc6 security update available > # ./apt-whatsup -s -n '(glibc|libc6)' > Warning, no aptitude update performed, results may be inaccurate... > glibc-doc 2.13-38+deb7u6 > 2.13-38+deb7u7 > libc6 2.13-38+deb7u6 > 2.13-38+deb7u7 > libc6:i386 2.13-38+deb7u6 > 2.13-38+deb7u7 > libc6-dev 2.13-38+deb7u6 > 2.13-38+deb7u7 > libc6-i386 2.13-38+deb7u6 > 2.13-38+deb7u7 > > --stephen > -- > Stephen Dowdy - Systems Administrator - NCAR/RAL > 303.497.2869 - sdo...@ucar.edu - > http://www.ral.ucar.edu/~sdowdy/ > -- *Por favor, evite enviarme documentos adjuntos en formato Word Excel o PowerPoint.Como alternativa puede enviarme documentos en formato odt, odx u ods, además de documentos en formato pdfSi realmente es necesario enviarme un documento en formato Word, por favor utilize el formato .doc en lugar de .docx Vea http://www.gnu.org/philosophy/no-word-attachments.html <http://www.gnu.org/philosophy/no-word-attachments.html>http://es.libreoffice.org/ <http://es.libreoffice.org/>http://getgnulinux.org/es <http://getgnulinux.org/es>*