# Glsa: Are they still reliable?

## schorsch_76

I just upgraded my server's openssl 1.0.1m to 1.0.1o. glsa-check -l didnt report any glsa.  (Yes, there was no CVE, so no glsa, but on openssl i am sceptical). [3]

Now i worry, if the glsa system is still working .... in fact, i rely on it. I let the server do a daily sync and glsa-check -l to inform me, when there are any urgent issues. 

In fact a few days/weeks ago, i noticed that my firefox on my desktop is vulnerable to the logjam attack [2], but glsa-check didn't report it and still don't report it as affected , despite the fact that there is a CVE [1]. Now, i ask again: Is the glsa system still reliable?

[1] https://bugs.gentoo.org/show_bug.cgi?id=550288#c5

[2] https://www.ssllabs.com/ssltest/viewMyClient.html

[3] https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/CHANGES

----------

## MarioCorleone

I'm sure you know how to search https://forums.gentoo.org/viewtopic-t-1019570-highlight-.html

----------

## Apheus

That just affects the announce-subforum here in the forums.

I suspect there has been no glsa for firefox/logjam because glsa's are issued when a fixed version is stabilized, which is not the case yet. The version of dev-libs/nss with the backported patch (3.19-r1?) is not stable yet. I don't know why. Mozilla themselves seem to not care too much about logjam - Ubuntu's firefox 38.0.5 is still vulnerable according to https://weakdh.org/.

Try to update nss to 3.19-r1.

----------

## yngwin

The GLSA system works just as well as it has always done. But you need to understand that a new advisory is only published after a fixed version is marked stable. This can take months. So especially if you are running a server, it is in my opinion not enough to rely on glsa-check. If there are any CVEs for software that you run, make sure you update to a fixed version as soon as it becomes available, even if it is not marked stable yet.

----------

## schorsch_76

@yngwin: Thanks for the Explanation!

@others: Thanks for your Input too!

----------

