# 201110-22: cannot fix GLSA, no unaffected packages available

## randalla

Haven't run into this before and would appreciate some help. I have a GLSA, 201110-22, that is reporting that I'm vulnerable, yet when I go to fix it, it says no packages are affected. Interestingly, this is only happening on my amd64 servers, and not my x86 servers.

Of my 11 servers, 4 are x86 and 7 are amd64. All of them run postgresql-base-8.4.11, with one having postgresql-base=9.1.3 which is amd64. Of those x86 servers, two run postgresql-server-8.4.11. Of the amd64 servers, 4 run postgresql-server-8.4.11, and 1 of them also has postgresql-server-9.1.3, but with 8.4 as the selected slot. All of the amd64 servers are reporting that they are affected by 201110-22, for either the postrgresql-server or the postgresql-base packages.

Specifically, here's what I'm seeing:

# glsa-check -t all

This system is affected by the following GLSAs:

201110-22

# glsa-check -f 201110-22

Fixing GLSA 201110-22

>>> cannot fix GLSA, no unaffected packages available

(all production servers):

# qpkg postgresql-base postgresql-server

 - dev-db/postgresql-server-8.4.11: 5296 kB

 - dev-db/postgresql-base-8.4.11: 2383 kB

 * Packages can be found in /var/tmp/binpkgs

(dev server):

# qpkg postgresql-server postgresql-base

 - dev-db/postgresql-server-8.4.11: 5216 kB

 - dev-db/postgresql-server-9.1.3: 5635 kB

 - dev-db/postgresql-base-8.4.11: 2381 kB

 - dev-db/postgresql-base-9.1.3: 2630 kB

 * -2 packages could not be matched :/ <-- not sure what this is all about

 * Packages can be found in /var/tmp/binpkgs

I don't think it matters in this case here directly, but my 8.4 servers have postgresql-server and postgresql-base >= 9.0.0 masked in /etc/portage/package.mask. I don't think it matters because my dev server, doesn't have this masking, and it has both 9.1.3 and 8.4.11 installed and it's still affected. I was masking because even though I had my world entries like so:

dev-db/postgresql-base:8.4

dev-db/postgresql-server:8.4

My emerge updates were trying to bring in 9.x, where I wasn't ready to go through testing on that (PHP was bringing it in as a dependency).

Anyway, long story short, anyone have any ideas?

----------

## Telemin

Hi, I'm not sure but odds are that the behaviour of glsa-check is to look for potential updates, and not to consider downgrades.  Looking at the actual GLSA (link) it seems that 8.4.10(-r1) is safe provided there are no other regressions that will break your current server setups.

Also the reason your dev server is affected is that GLSA still can't match an update for the vulnerable :8.4 slot even though the :9 slot is clean.  I imagine that the glsa warning on your dev server will go away if you emerge -C postgresql-server:8.4

-Telemin-

----------

