How to emerge the security updates only

4 August 2007

Security updates are good

In Gentoo Linux, there is, of course, a graphical frontend to do updates (called 'Porthole'), however the command line interface is called emerge.

The object of the command can be a package name ('ebuild' in Gen-speak) for example, gedit or epiphany, or it can be a 'set'. There are two sets, system and world.

The system set is the bare basics needed for the system to be able to run and to recompile itself. The world set is everything you have installed already.

I moan often that that this is a bit blunt, a bit un-Gentoo-ish, Gentoo is all about choice after all. Sometimes, when you have a system set up and optimised for a specific function, it may well be working and you want it to change as little as possible. If it is a networked device, you only want to do the updates necessary to keep the computer secure; you do not want new features and as few disruptive changes as possible.

The great thing about computers is that there is always a way to do something. However, the way is often just hard to figure out or you have not bumped into a person that knows the answer yet. So if you moan to everyone, someone will give up and tell you. Today I moaned on IRC and igli told me the answer.

gentoolkit is a "collection of administration scripts for Gentoo", out of interest, it has a sister package called gentoolkit-dev which is a "collection of developer scripts for Gentoo". Also interesting is that many (all?) of these tools are in Python.

One of the tools in gentoolkit is called glsa-check.

Enter the Dragon

Gentoo Linux Security Announcements (GLSAs) are short reports written by the Gentoo security team, they help us keep secure and are also a respected form of information in the wider mainstream security community. (For more about the GLSAs, read my recent interview with Matt Drew of the Gentoo Linux Security Team).

As well as being published online, the GLSAs are pushed out directly to users through portage updates. glsa-check is a fabulous little tool that aims to allow you to automate the monitoring of the GLSAs, and in turn, act on them automatically.

gsla-check quick guide

The tool has lots of options, but I will stick to the basics here.

Firstly, we can test the system against the security reports:

``$ glsa-check -t all

System Message: WARNING/2 (<string>, line 52); backlink

Inline literal start-string without end-string.

This system is affected by the following GLSAs:

200707-05

200707-13

``

System Message: WARNING/2 (<string>, line 60); backlink

Inline literal start-string without end-string.

So this server has two issues, the report from the 5th July and the one from the 13th July. Let's see what they are:

``$ glsa-check -l affected

System Message: WARNING/2 (<string>, line 65); backlink

Inline literal start-string without end-string.
200707-05 [N] Webmin, Usermin: Cross-site scripting vulnerabilities (
app-admin/webmin app-admin/usermin )

200707-13 [N] Fail2ban: Denial of Service ( net-analyzer/fail2ban )``

To read the full reports we can type: glsa-check -d affected

These reports are well structured and formally written. Therefore if you work in an environment with change management and you have to write a report for every change you make, these may be dead handy to cut and paste from.

Now we want to see how the system proposes to fix them:

`` ~ $ glsa-check -p affected

Checking GLSA 200707-05

The following updates will be performed for this GLSA:

app-admin/webmin-1.350 (1.320)


Checking GLSA 200707-13

The following updates will be performed for this GLSA:

net-analyzer/fail2ban-0.8.0-r1 (0.7.9)

``

System Message: WARNING/2 (<string>, line 96); backlink

Inline literal start-string without end-string.

Webmin will be upgraded from version 1.320 to 1.350, and fail2ban will upgrade from 0.7.9 to 0.8.0-r1.

We are happy with that, so let's run the fixes:

# glsa-check -f affected

The fix element of it is still labelled as experimental, but it worked well for me. Of course, this was a verbose way of doing this for the sake of the tutorial, in normal usage, one or two of the commands will do the trick.

As well as being helpful for dedicated machines, the glsa-check command can also help tide over a system until a set update time (e.g. once a quarter). I'll keep using it and I'll let you know how I get on with it.

What do you have to say?

Show Editing Help

About

Hello, my name is Zeth, I'll be your host here.

Command Line Warriors is about taking control of your own technology, it looks at our experiences of computing; especially using GNU/Linux, the Python programming language, the command-line and issues such as techno-ethics, best practices and whatever is cool now. If you take control of your technology then you are a Warrior too!

This site is your site too which means that you can contribute and get involved. You can leave comments using the facility provided. For me, the comments and discussions are by far the best part of the site. So please do have your say!

Latest Discussions

Zeth

November 29, 2009
Hi Jordan, yes that URL is gone now. I have a new contact form on this site.
Python CGI contact forms

Jordan

November 29, 2009
Zeth attention! Your form, http://zeth.me.uk/contact/, is not working The explorer says connecting ..but nothing happens Sorry for my poor English: I am Spanish Regards
Python CGI contact forms

Jordan

November 26, 2009
Sorry: tell me , not tellme (I'm spaniard) And http://zeth.me.uk/contact/ don't work
You got the touch, you got the power

David Jones

November 25, 2009
Your mad skillz are too l33t! for me. I specifically switched to Google Reader so that I could show people what blogs I read. But I couldn't work out how ...
How to find the fashionable blogs quickly

Brian R. Hickey

November 20, 2009
Symantec picked it up too.
How to bring down Internet Explorer with six words

Zeth

November 17, 2009
Thanks djm, I am the moose here. Christian, assuming one actually does Internationalise the countries, it should still work I guess, as the gettext stuff will happen before the list ...
Countries in Django

Phillip Temple

November 17, 2009
Good start, but: a) wouldn't I want None back rather than 'ZZ'? b) why not add a 'shortcut' boolean, then prepend flagged fields (plus usual '-----' separator) to the actual ...
Countries in Django

djm

November 17, 2009
Am I being a moose or did you mean: from whatever.countries import CountryField instead of from whatever.countries import CharField ? Good post though, cheers.
Countries in Django

Christian Joergensen

November 17, 2009
Wouldn't the ordering get messed up after i18n?
Countries in Django

Steve - Electronic Cigarettes Fan

November 17, 2009
Very well done. Is your blog just you writing? Nicely done, Steven.
Blogger vs Wordpress

vetetix

November 15, 2009
Sorry to bother you nearly two years after you wrote this blog article, but I can't manage to find how to modify an existing field. I am trying to change ...
Three Useful Python Bindings - ClamAV, Apt and Evolution

Manju

November 4, 2009
I am transferring some files using psftp to other device's FAT partition. But the filestamp of the file being transferred is modified to that of FAT device, after the transfer. ...
PuTTY Series: Using PSFTP

iki

November 2, 2009
or simpler: socket.gethostbyname_ex(socket.gethostname())[2]
How to find out your IP address in Python

iki

November 2, 2009
local_ip = set([ i[4][0] for i in socket.getaddrinfo(socket.gethostname(), None) if i[0] == 2 ])
How to find out your IP address in Python

Fred

November 2, 2009
testing rst ------------- - point 1
An Introduction to ReStructuredText

Ano

October 27, 2009
"You simply found the license of the StumbleUpon Toolbar for Internet Explorer." That's possible. I've got some more interesting information to add. Firstly, go to this page: https://addons.mozilla.org/en-US/firefox/addon/138 - this ...
Are your Firefox extensions proprietary software?

Ken

October 21, 2009
Stumbled in here at lunch. This is the best find of the week. Thanks.
Three classic command line tips

Jim

October 19, 2009
Thanks for the rtsp:// post - that's something that has been bugging me for a while!
Three classic command line tips

Zeth

October 18, 2009
Thanks for the comments guys. Great to see the all the gang are still here!
Three classic command line tips

Bubba

October 18, 2009
Is there any way psftp can return the true transfer rates oberved during the actual transfer?
PuTTY Series: Using PSFTP