LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 11-23-2012, 09:55 AM   #1
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,059
Blog Entries: 1

Rep: Reputation: Disabled
Trousers security update


Hi:

I received this e-mail from the Debian Security Team today and need to know the correct way of handing this {Vulnerability : denial of service}

Package : trousers
Vulnerability : denial of service
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-0698
Debian Bug : 692649

Andy Lutomirski discovered that tcsd (the TPM userspace daemon) was missing a
of input validation. Using carefully crafted input, it can lead to a denial of
service by making the daemon crash with a segmentation fault.

For the stable (squeeze), testing, (wheezy) and unstable (sid) the message says that the problem has been fixed and for me to upgrade my trousers packages.

Is this as simple as opening the terminal and running:
Code:
aptitude update
And than run:
Code:
aptitude upgrade
Is this what practice you'd perform in regard to this?
 
Old 11-23-2012, 10:08 AM   #2
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,059
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
I looked up these pkg's as it was the first I had heard of them.
http://packages.debian.org/search?keywords=trousers

In what way do these trouser packages aid in performance to the OS?

Or are these packages an assistant to the architecture of my computer some how?

Thanks in advance
 
Old 11-23-2012, 12:07 PM   #3
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,215

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
A good place to start when you wonder about a package is Synaptic. I had never heard of this package either so I looked there. This is the discription provided;
[quote]
TrouSerS is an implementation of the Trusted Computing Group's Software Stack
(TSS) specification. You can use TrouSerS to write applications that make use
of your TPM hardware. TPM hardware can create, store and use RSA keys securely
(without ever being exposed in memory), verify a platform's software state
using cryptographic hashes and more.

TrouSerS aims to be compliant with the 1.1b and 1.2 TSS specifications
available from the Trusted Computing Group website at
<http://www.trustedcomputinggroup.org/>.
[/code]
I think it is pretty obvious that it is not needed for your computer unless you are writing effected code for programs.

If you are not in need of this package removing it would be the best thing to do.

If you need it the best thing to do is to upgrade the package as recommended by Debian. This is the reason for most packages in Squeeze. Simple security upgrades.

You should keep your system up to date all the time. Running those commands is one very good way of doing that.

All my installs get checked everyday for any package upgrades.

I have apt-listbugs installed and not all the packages that have new versions, particularly in testing and Sid, get upgraded. Some buggy upgrades may break those systems.

Not being sure if you understand the commands and the meaning of them here it is in brief.

You have a package list of available packages in the Debian repos. When you run either "aptitude update" or "apt-get update" that package list is updated.

You then run the "upgrade" command in either aptitude or apt-get. This will match packages that have upgraded versions to packages installed on your system. You will get a list of proposed upgrades and you have the choice of doing it or not. Genereally, particularly in Debian stable (Squeeze) this is a very good idea.

With the upgrade command you may find that some packages are going to be held back. This is usually because some other package is going to be removed or installed with the upgrade of the "held" package. Once again, in Squeeze, this is usually a great thing to do.

In testing and Sid you may want to look carefully at what is going to be removed carefully. Usually there is a package being installed that replaces the one to be removed. Could also be that the package to be removed is no longer needed after the "held" package is upgraded. This would be a change in depends due to the "held" packages upgraded code.
 
Old 11-24-2012, 08:27 AM   #4
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,059
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Widget:

Thanks for the fast reply.

Until today I had never heard of Trusted Computing Groups thanks for the link to the website.

I don't write code for programs so I'll look for it in my Synaptic Package Manager and mark it for removal.
In the future I'll look in Synaptic if I get to wondering again about a unknown package.

In the past I found that some packages had been held back when I executed the cmd 'aptitude upgrade' or 'apt-get upgrade' The terminal has given me this message (about pkg's being held back) before. At that point I had wondered if there was another step I should of taken?

Once each month I run:
'aptitude autoclean' to empty out old updates installed on my system that are no longer needed.
 
Old 11-24-2012, 11:57 AM   #5
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,215

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
There are three ways that I think are best to do upgrades on your system.

Apt-get and aptitude are the best. I, personally prefer apt-get.

To get the "held" packages upgraded use;
Code:
apt-get dist-upgrade
or
Code:
aptitude full-upgrade
The third way to get package upgrades done is use Synaptic if you prefer a gui. It is simply a front end for apt-get. It will do the packages "held" by apt-get in the first pass along with the packages that apt-get and aptitude will not hold.

You will get better information on what is being done using either apt-get or aptitude.

In the past it has been a bad idea to mix using apt-get and aptitude. This was because it would mess with the status of a package. Packages that were installed as depends could appear to be manually installed and therefore recommended for removal (status should be "automatic" instead of "manual"). This is no longer the case, however, so you can use either or both.

I generally us apt-get but occasionnally use aptitude for things it will do better or things it will do that apt-get will not. Both are great tools.
 
Old 11-24-2012, 12:46 PM   #6
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,059
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
I'll use the commands that you posted to get the 'held' packages from now on; Thanks Widget-

You said:
{ "In the past it has been a bad idea to mix using apt-get and aptitude."}
The truth on that is that I have been using and ran:
Code:
apt-get upgrade
for the longest time and recently I started using:
Code:
aptitude
Based on your counsel I now understand that I need to stick with one or the other. Not switch back and forth between the 2 commands.

You mentioned that occasionally you'll use <aptitude> for things it will do better.
How can I know or how will I be able to tell when that 'occasionally' applies?
 
Old 11-24-2012, 03:42 PM   #7
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,215

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Quote:
Originally Posted by Ztcoracat View Post
I'll use the commands that you posted to get the 'held' packages from now on; Thanks Widget-

You said:
{ "In the past it has been a bad idea to mix using apt-get and aptitude."}
The truth on that is that I have been using and ran:
Code:
apt-get upgrade
for the longest time and recently I started using:
Code:
aptitude
Based on your counsel I now understand that I need to stick with one or the other. Not switch back and forth between the 2 commands.

You mentioned that occasionally you'll use <aptitude> for things it will do better.
How can I know or how will I be able to tell when that 'occasionally' applies?
It is safe to use both now. The "status" problem was cleared up 2-3 years ago.

This is great because they are both great tools and some things are just easier to do in one than in the other.
 
Old 11-24-2012, 03:52 PM   #8
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,059
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Glad the problem was cleared up-

Thanks for the good advice and clarification on the proper tools I should be using.
Have a good weekend Widget!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unlocking USB-attached FDE HDDs - is this possible with TrouSers and tpm-tools? libCognition Linux - Software 0 05-01-2012 06:16 AM
About security update lawrence_lee_lee Ubuntu 8 09-10-2008 03:03 PM
Slackware security update/package update Michael_aust Slackware 6 10-04-2006 08:19 PM
Slackware Security Update: GDM security update phoeniXflame Slackware 2 08-26-2003 04:21 PM


All times are GMT -5. The time now is 10:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration