Trousers security update
Hi:
I received this e-mail from the Debian Security Team today and need to know the correct way of handing this {Vulnerability : denial of service} Package : trousers Vulnerability : denial of service Problem type : local Debian-specific: no CVE ID : CVE-2012-0698 Debian Bug : 692649 Andy Lutomirski discovered that tcsd (the TPM userspace daemon) was missing a of input validation. Using carefully crafted input, it can lead to a denial of service by making the daemon crash with a segmentation fault. For the stable (squeeze), testing, (wheezy) and unstable (sid) the message says that the problem has been fixed and for me to upgrade my trousers packages. Is this as simple as opening the terminal and running: Code:
aptitude update Code:
aptitude upgrade |
I looked up these pkg's as it was the first I had heard of them.
http://packages.debian.org/search?keywords=trousers In what way do these trouser packages aid in performance to the OS? Or are these packages an assistant to the architecture of my computer some how? Thanks in advance |
A good place to start when you wonder about a package is Synaptic. I had never heard of this package either so I looked there. This is the discription provided;
[quote] TrouSerS is an implementation of the Trusted Computing Group's Software Stack (TSS) specification. You can use TrouSerS to write applications that make use of your TPM hardware. TPM hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. TrouSerS aims to be compliant with the 1.1b and 1.2 TSS specifications available from the Trusted Computing Group website at <http://www.trustedcomputinggroup.org/>. [/code] I think it is pretty obvious that it is not needed for your computer unless you are writing effected code for programs. If you are not in need of this package removing it would be the best thing to do. If you need it the best thing to do is to upgrade the package as recommended by Debian. This is the reason for most packages in Squeeze. Simple security upgrades. You should keep your system up to date all the time. Running those commands is one very good way of doing that. All my installs get checked everyday for any package upgrades. I have apt-listbugs installed and not all the packages that have new versions, particularly in testing and Sid, get upgraded. Some buggy upgrades may break those systems. Not being sure if you understand the commands and the meaning of them here it is in brief. You have a package list of available packages in the Debian repos. When you run either "aptitude update" or "apt-get update" that package list is updated. You then run the "upgrade" command in either aptitude or apt-get. This will match packages that have upgraded versions to packages installed on your system. You will get a list of proposed upgrades and you have the choice of doing it or not. Genereally, particularly in Debian stable (Squeeze) this is a very good idea. With the upgrade command you may find that some packages are going to be held back. This is usually because some other package is going to be removed or installed with the upgrade of the "held" package. Once again, in Squeeze, this is usually a great thing to do. In testing and Sid you may want to look carefully at what is going to be removed carefully. Usually there is a package being installed that replaces the one to be removed. Could also be that the package to be removed is no longer needed after the "held" package is upgraded. This would be a change in depends due to the "held" packages upgraded code. |
Widget:
Thanks for the fast reply. Until today I had never heard of Trusted Computing Groups thanks for the link to the website. I don't write code for programs so I'll look for it in my Synaptic Package Manager and mark it for removal. In the future I'll look in Synaptic if I get to wondering again about a unknown package. In the past I found that some packages had been held back when I executed the cmd 'aptitude upgrade' or 'apt-get upgrade' The terminal has given me this message (about pkg's being held back) before. At that point I had wondered if there was another step I should of taken? Once each month I run: 'aptitude autoclean' to empty out old updates installed on my system that are no longer needed. |
There are three ways that I think are best to do upgrades on your system.
Apt-get and aptitude are the best. I, personally prefer apt-get. To get the "held" packages upgraded use; Code:
apt-get dist-upgrade Code:
aptitude full-upgrade You will get better information on what is being done using either apt-get or aptitude. In the past it has been a bad idea to mix using apt-get and aptitude. This was because it would mess with the status of a package. Packages that were installed as depends could appear to be manually installed and therefore recommended for removal (status should be "automatic" instead of "manual"). This is no longer the case, however, so you can use either or both. I generally us apt-get but occasionnally use aptitude for things it will do better or things it will do that apt-get will not. Both are great tools. |
I'll use the commands that you posted to get the 'held' packages from now on; Thanks Widget-
You said: { "In the past it has been a bad idea to mix using apt-get and aptitude."} The truth on that is that I have been using and ran: Code:
apt-get upgrade Code:
aptitude You mentioned that occasionally you'll use <aptitude> for things it will do better. How can I know or how will I be able to tell when that 'occasionally' applies? |
Quote:
This is great because they are both great tools and some things are just easier to do in one than in the other. |
Glad the problem was cleared up-
Thanks for the good advice and clarification on the proper tools I should be using. Have a good weekend Widget!;) |
All times are GMT -5. The time now is 08:21 PM. |