Gentoo Logo

1.  Keeping up-to-date

Once you have successfully installed your system and ensured a good level of security you are not done. Security is an ongoing process; the vast majority of intrusions result from known vulnerabilities in unpatched systems. Keeping your system up-to-date is the single most valuable step you can take to greater security.

If you have a recent version of portage installed, you can first sync your portage tree with emerge --sync and then issue the command glsa-check --list to check if your system is up to date security-wise. glsa-check is part of app-portage/gentoolkit.

Code Listing 1.1: Example output of glsa-check -l

# glsa-check -l
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.

[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

200406-03 [N] sitecopy: Multiple vulnerabilities in included libneon ( net-misc/sitecopy )
200406-04 [U] Mailman: Member password disclosure vulnerability ( net-mail/mailman )
.......

Warning: The glsa-check is still experimental, so if security really is your top priority it would be wise to double check the list with other sources.

All lines with a [A] and [U] can be almost safely ignored as the system is not affected by this GLSA.

Important: Please note that the usual emerge -vpuD world will not pick up all package updates. You need to use glsa-check if you want to make sure all GLSAs are fixed on your system.

Code Listing 1.1: Check all GLSAs

(Check if your system is affected by GLSAs)
# glsa-check -t all
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.

This system is affected by the following GLSA:
200504-06
200510-08
200506-14
200501-35
200508-12
200507-16

(See what packages would be emerged)
# glsa-check -p $(glsa-check -t all)
     (partial output)
Checking GLSA 200504-06
The following updates will be performed for this GLSA:
     app-arch/sharutils-4.2.1-r11 (4.2.1-r10)

     **********************************************************************

     Checking GLSA 200510-08
     The following updates will be performed for this GLSA:
          media-libs/xine-lib-1.1.0-r5 (1.1.0-r4)

(Apply required fixes)
# glsa-check -f $(glsa-check -t all)

If you have upgraded a running service, you should not forget to restart it.

Keeping your kernel up-to-date is also recommended.

If you want an email each time a GLSA is released subscribe to the gentoo-announce mailing list. Instructions for joining it and many other great mailing lists can be found Gentoo Linux Mailing List Overview.

Another great security resource is the Bugtraq mailing list.

Page updated October 13, 2005

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.