guldener.net

From time to time you have to run glsa checks to keep your machine safe.

In my case, I run it by nagios, my server-monitoring tool.

So one day, it reported me this GLSA's:
200805-04
200804-20
200907-03

But when I now tried to fix them by using
glsa-check -f 200805-04
it returned

That was something I never experienced before. But I think it wasn't a good idea to parallely update the system (emerge -auDN world) while trying to fix the GLSA's. :)

Anyway, to resolve my GLSA's to keep nagios from spamming me to death, I looked a little closer.

After looking for my GLSA's in the GLSA Chronological Index I found out, that my installed versions of the packages of my affected software are up to date. So they weren't affected.
In some way, the system kept the older, affected version on my system. So glsa-check hit alarm. Unmerging the older versions solved my problem.

Example:

According to this , all versions of apr-util above or equal 1.3.7 are not affected.
But my installed version is 1.3.7. So i shouldn't be affected. But glsa-check says I am.

The secret is: there are more than one versions installed.

To find out which versions are installed, use
qpkg apr-util
qpkg is part of gentoolkit, if you dont have it or don't want it, you can also use
emerge -Cp arp-util
Then you'll get a list of the selected versions that would be unmerged.

In my case, the installed versions were:
0.9.12 (affected)
1.3.8 (not affected)

All you have to do now, is unmerging the affected version:
emerge -C apr-util-0.9.12

After this, your not affected by this glsa anymore.