guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security warnings (was Re: glibc update)


From: Pjotr Prins
Subject: Security warnings (was Re: glibc update)
Date: Thu, 18 Feb 2016 07:45:32 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

Someone noted that you can run a compromised glibc for a long time on
Guix without realizing.

How expensive would it be that every time you run Guix it would check
for compromised versions and issue a warning like this:

  WARNING: version x.x of package name installed on your system has
  security concerns, please see URL and update the package to y.y or
  later.

In the URL we give a fuller description and a list of packages that
may need to be updated. Very long in the case of glibc.

Pj.

On Wed, Feb 17, 2016 at 01:27:22PM -0500, Leo Famulari wrote:
> No, it doesn't graft. And it produces the same "version" of glibc, but with a 
> patch applied for CVE-2015-7547.
> 
> Well, you would make sure you cherry-pick the right hash. I can't confirm 
> that from my phone.
> 
> 
> -------- Original Message --------
> From: Jookia <address@hidden>
> Sent: February 17, 2016 11:28:33 AM EST
> To: Leo Famulari <address@hidden>
> Cc: address@hidden
> Subject: Re: glibc update
> 
> On Wed, Feb 17, 2016 at 11:14:19AM -0500, Leo Famulari wrote:
> > I tried this. The resulting process downloaded the bootstrap binaries
> > and appeared to rebuild *everything*. I haven't had time to figure out
> > what actually got rebuilt and if anything is still using the vulnerable
> > glibc.
> 
> This doesn't graft does it? It'd just bump glibc's version.
> 
> 

-- 



reply via email to

[Prev in Thread] Current Thread [Next in Thread]