# Glibc-2.2.5-r5 vulnerable version won't update to 2.2.5-r7?

## DeKoder

Hi everyone! I've got a little question about something that seemed a little weird to me in gentoo linux [1.2 stage1 on an i586 box]. My glibc package is currently glibc-2.2.5-r5, which i now know is vulnerable to rpc holes and some stuff alike, but when i do an emerge --pretend --update glibc , the portage system states that it'll only reinstall that package (glibc-2.2.5-r5) instead of updating it to glibc-2.2.5-r7 (i have that ebuild already in my sys-libs/glibc dir). I've checked the /usr/portage/profiles/package.mask file, and it doesn't mask glibc at all (it doesn't refer to it anywhere), so im not quite getting it, and i'd really like to update this package cause i don't like the idea of having a vulnerable system without the possibility to update it...

So, could somebody give me a tip? Would you recommend to update it anyway with a "$ emerge sys-libs/glibc-2.2.5-r7" (it actually "frightens" me :oP ) ?

Cheers

DeKoder

----------

## pjp

Does emerge -p glibc do the same thing?  What about emerge -p glibc-2.2.5-r7.ebuild from within /usr/portage/sys-libs/glibc ?

----------

## DeKoder

Yep... emerge -p glibc says the same thing... But if I emerge -p glibc-2.2.5-r7  the emerge system says that everything's ok, and is ready to emerge glibc-2.2.5-r7 but i do want to be sure if it's safe first, to prevent leaving the system broken. I didn't do it already cause if the portage system assumes the most recent is -r5, i assumed that -r7 is being tested or something and should not be emerged already...

Does your portage system say the same thing (glibc-2.2.5-r5 being the most up2date) ? Or is it something wrong with mine ?... Thanx

Greets

DeKoder

----------

## rac

I can't tell you whether it's "safe", but I can probably tell you why it's happening.  Your /etc/make.profile/packages file has likely pinned glibc to -r5 with a line like this: 

```
*=sys-libs/glibc-2.2.5-r5
```

...if you change this to, for example,

```
*>=sys-libs/glibc-2.2.5-r5
```

...things should change.  Whether you want to do this or not is up to you.

----------

## DeKoder

I think i'll take the risk...i really think this -r7 glibc package should be available, as it can't be that differente from -r5, and corrects these nasty vulnerabilities.

Thanx for your hints so far...if you want to know the behaviour of my system after the update, just let me know, and i'll post a "report" here :-)

Greets

DeKoder

----------

## rac

FWIW, I just followed my own advice and upgraded one desktop machine.  I haven't restarted any major applications yet, so they may still be running linked against an old libc image, but nothing drastic has happened yet.

----------

## puddpunk

That glibc-r7 only became available to me after i installed GCC 3.2.

----------

## rac

 *puddpunk wrote:*   

> That glibc-r7 only became available to me after i installed GCC 3.2.

 

That's because your profile switched.

----------

## EPrime

I just installed a fresh system with gcc 3.2 and glibc-r7, but now when I run emerge -pu world it would downgrade me to -r6. Same with iptables, which has 1.2.7 installed and latest available 1.2.6a-r1.

I know I can fix this by editing the package masks, but why is it suddenly happening? Since the package.mask is updated on every sync, and some of the blocks are in there, can I override these somehow? (I'd like to stick with the newer versions until I find something broken).

----------

## rac

 *EPrime wrote:*   

> but why is it suddenly happening?

 

Judging from what I've read on the forums (search for atexit), there have been some compatibility problems with some software (mostly binary stuff).

----------

## DeKoder

btw...i just upgraded glibc to -r7 on my gcc-2.95.3-r7 based system, and everything is running smoothly...even major apps such as Apache, MySQL,etc so I guess it was indeed a good decision :o)

Greets

DeKoder

----------

## EPrime

Ok, thanks. I'll keep it in mind if something isn't working right. That LFS page did mention something about silent compiler mistakes in gcc 3.2. Stuff like that can make you sleep bad at night  :Laughing: 

----------

