Hi, i have been reading a little more on the libc vulnerability now called
ghost. I have a question:
Does using something like the Grsecurity kernel helps prevent these type of
vulnerabilities?
In Ghost case, a Grsecurity kernel would help?
Stephen:
doesn't apticron does the same job as your script?
2015-01-28 13:48 GMT-06:00 Stephen Dowdy <sdo...@ucar.edu>:
> On Wed, Jan 28, 2015 at 1:59 AM, Paul Wise <p...@debian.org> wrote:
> > On Wed, Jan 28, 2015 at 4:06 PM, Tiberiu Popescu wrote:
> ...
> > You could install and configure the unattended-upgrades package
> > instead of using apticron. Please note that you still need to do
> > reboots after Linux kernel updates and relevant restart processes
> > after library upgrades. You can use needrestart (jessie and later) or
> > checkrestart (from debian-goodies) to find out which processes to
> > restart.
>
> ISTM, this libc6 update should have triggered a
> /var/run/reboot-required creation, but it didn't. (yeah, it's
> debatable, but for the average person, you probably want them to
> recognize a reboot is safest after a significant 'libc' security
> update -- else more savvy users can figure out to restart critical
> daemons if needed)
>
>
> Here's a script, 'apt-whatsup', i use for showing me what patches are
> outstanding (packages that are upgradeable and current and upgradeable
> versions). It operates similarly to 'aptitude's 'versions' argument,
> but in a more concise layout. It allows selection of security-only
> updates via a '-s' option.
>
> AFAICT, a *security* update is only a security update because of where
> it comes from (sources.list) by convention/decree.
> It's just the same as any other package (the package metadata does not
> contain anything identifying the package as a "security" update).
>
> So, my script may need some adjustment for your environment if your
> Debian-Security 'deb' source doesn't look like mine. Or, if you're
> using 'squeeze-lts', which is presumed to be 'security only' updates
> (Release file 'Label' field won't have "Security" in it), or if you
> have 3rd party security repos, or a multi-release (e.g.
> stable+testing)... In that case, you should probably re-architect to
> have an /etc/apt/source.list.d/security-updates.list that contains
> all your security repos which my script will use directly (if it
> exists), rather than trying to ascertain which sources are security
> sources and creating a temp sources.list.
>
> If anyone has more insight, let me know.
>
> # Get help
> # ./apt-whatsup -h
> apt-whatsup:
> apt-whatsup [ -d ] [ -n ] [ -s ] [ -k | {search-pattern} ]
>
> This program reports all the outstanding Debian Package Updates
> for this system.
>
> -d debug
> -k display kernel only updates pending
> -n don't do 'aptitude update' phase
> -s display security updates only
> {search-pattern} any apt-regex search pattern
> e.g. "cups", "^apache2$"
>
> # See what packages and versions (current/upgradeable) are in play for
> upgradeable packages
> # ./apt-whatsup
> Warning, no aptitude update performed, results may be inaccurate...
> apache2-mpm-worker 2.2.22-13+deb7u3
> 2.2.22-13+deb7u4
> apache2-utils 2.2.22-13+deb7u3
> 2.2.22-13+deb7u4
> apache2.2-bin 2.2.22-13+deb7u3
> 2.2.22-13+deb7u4
> apache2.2-common 2.2.22-13+deb7u3
> 2.2.22-13+deb7u4
> ...
>
> # How many upgradable packages are outstanding (use '-n' to avoid
> aptitude update, since
> # we already did that implicitly in the previous invocation)
> # ./apt-whatsup -n | wc -l
> Warning, no aptitude update performed, results may be inaccurate...
> 79
>
> # How many upgradable packages are from security repos
> # ./apt-whatsup -s -n | wc -l
> Warning, no aptitude update performed, results may be inaccurate...
> 67
>
> # see if we have a glibc/libc6 security update available
> # ./apt-whatsup -s -n '(glibc|libc6)'
> Warning, no aptitude update performed, results may be inaccurate...
> glibc-doc 2.13-38+deb7u6
> 2.13-38+deb7u7
> libc6 2.13-38+deb7u6
> 2.13-38+deb7u7
> libc6:i386 2.13-38+deb7u6
> 2.13-38+deb7u7
> libc6-dev 2.13-38+deb7u6
> 2.13-38+deb7u7
> libc6-i386 2.13-38+deb7u6
> 2.13-38+deb7u7
>
> --stephen
> --
> Stephen Dowdy - Systems Administrator - NCAR/RAL
> 303.497.2869 - sdo...@ucar.edu -
> http://www.ral.ucar.edu/~sdowdy/
>
--
*Por favor, evite enviarme documentos adjuntos en formato Word Excel o
PowerPoint.Como alternativa puede enviarme documentos en formato odt, odx u
ods, además de documentos en formato pdfSi realmente es necesario enviarme
un documento en formato Word, por favor utilize el formato .doc en lugar de
.docx Vea http://www.gnu.org/philosophy/no-word-attachments.html
<http://www.gnu.org/philosophy/no-word-attachments.html>http://es.libreoffice.org/
<http://es.libreoffice.org/>http://getgnulinux.org/es
<http://getgnulinux.org/es>*
