Hi:

I received this e-mail from the Debian Security Team today and need to know the correct way of handing this {Vulnerability : denial of service}

Package : trousers
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-0698
Debian Bug : 692649

Andy Lutomirski discovered that tcsd (the TPM userspace daemon) was missing a
of input validation. Using carefully crafted input, it can lead to a denial of
service by making the daemon crash with a segmentation fault.

For the stable (squeeze), testing, (wheezy) and unstable (sid) the message says that the problem has been fixed and for me to upgrade my trousers packages.

Is this as simple as opening the terminal and running:
And than run:
Is this what practice you'd perform in regard to this?

I looked up these pkg's as it was the first I had heard of them.
http://packages.debian.org/search?keywords=trousers

In what way do these trouser packages aid in performance to the OS?

Or are these packages an assistant to the architecture of my computer some how?

Thanks in advance

A good place to start when you wonder about a package is Synaptic. I had never heard of this package either so I looked there. This is the discription provided;
[quote]
TrouSerS is an implementation of the Trusted Computing Group's Software Stack
(TSS) specification. You can use TrouSerS to write applications that make use
of your TPM hardware. TPM hardware can create, store and use RSA keys securely
(without ever being exposed in memory), verify a platform's software state
using cryptographic hashes and more.

TrouSerS aims to be compliant with the 1.1b and 1.2 TSS specifications
available from the Trusted Computing Group website at
<http://www.trustedcomputinggroup.org/>.
[/code]
I think it is pretty obvious that it is not needed for your computer unless you are writing effected code for programs.

If you are not in need of this package removing it would be the best thing to do.

If you need it the best thing to do is to upgrade the package as recommended by Debian. This is the reason for most packages in Squeeze. Simple security upgrades.

You should keep your system up to date all the time. Running those commands is one very good way of doing that.

All my installs get checked everyday for any package upgrades.

I have apt-listbugs installed and not all the packages that have new versions, particularly in testing and Sid, get upgraded. Some buggy upgrades may break those systems.

Not being sure if you understand the commands and the meaning of them here it is in brief.

You have a package list of available packages in the Debian repos. When you run either "aptitude update" or "apt-get update" that package list is updated.

You then run the "upgrade" command in either aptitude or apt-get. This will match packages that have upgraded versions to packages installed on your system. You will get a list of proposed upgrades and you have the choice of doing it or not. Genereally, particularly in Debian stable (Squeeze) this is a very good idea.

With the upgrade command you may find that some packages are going to be held back. This is usually because some other package is going to be removed or installed with the upgrade of the "held" package. Once again, in Squeeze, this is usually a great thing to do.

In testing and Sid you may want to look carefully at what is going to be removed carefully. Usually there is a package being installed that replaces the one to be removed. Could also be that the package to be removed is no longer needed after the "held" package is upgraded. This would be a change in depends due to the "held" packages upgraded code.

Widget:

Thanks for the fast reply.

Until today I had never heard of Trusted Computing Groups thanks for the link to the website.

I don't write code for programs so I'll look for it in my Synaptic Package Manager and mark it for removal.
In the future I'll look in Synaptic if I get to wondering again about a unknown package.

In the past I found that some packages had been held back when I executed the cmd 'aptitude upgrade' or 'apt-get upgrade' The terminal has given me this message (about pkg's being held back) before. At that point I had wondered if there was another step I should of taken?

Once each month I run:
'aptitude autoclean' to empty out old updates installed on my system that are no longer needed.

There are three ways that I think are best to do upgrades on your system.

Apt-get and aptitude are the best. I, personally prefer apt-get.

To get the "held" packages upgraded use;
or
The third way to get package upgrades done is use Synaptic if you prefer a gui. It is simply a front end for apt-get. It will do the packages "held" by apt-get in the first pass along with the packages that apt-get and aptitude will not hold.

You will get better information on what is being done using either apt-get or aptitude.

In the past it has been a bad idea to mix using apt-get and aptitude. This was because it would mess with the status of a package. Packages that were installed as depends could appear to be manually installed and therefore recommended for removal (status should be "automatic" instead of "manual"). This is no longer the case, however, so you can use either or both.

I generally us apt-get but occasionnally use aptitude for things it will do better or things it will do that apt-get will not. Both are great tools.

I'll use the commands that you posted to get the 'held' packages from now on; Thanks Widget-

You said:
{ "In the past it has been a bad idea to mix using apt-get and aptitude."}
The truth on that is that I have been using and ran:
for the longest time and recently I started using:
Based on your counsel I now understand that I need to stick with one or the other. Not switch back and forth between the 2 commands.

You mentioned that occasionally you'll use <aptitude> for things it will do better.
How can I know or how will I be able to tell when that 'occasionally' applies?

It is safe to use both now. The "status" problem was cleared up 2-3 years ago.

This is great because they are both great tools and some things are just easier to do in one than in the other.

Glad the problem was cleared up-

Thanks for the good advice and clarification on the proper tools I should be using.
Have a good weekend Widget!