Re: [Tails-dev] is it safe to update these files in synaptic…

Delete this message

Reply to this message
Author: Austin English
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] is it safe to update these files in synaptic?
On Wed, Feb 24, 2016 at 8:28 AM, Anonymous
<nobody@???> wrote:
> hi is it safe to update these files in synaptic?
>
> [23 Feb 2016] DSA-3487 libssh2 - security update


This should only matter if you're ssh'ing into other hosts, tails does
not run an sshd.

> [19 Feb 2016] DSA-3483 cpio - security update


cpio is a file archive tool, it should be safe to update live.

> there's a few others, too. the updates refuse to display
> a changelog, IDK why.
>
> there's one glibc or libc or something similar in Synaptic
> which wants updating of 2 separate packages. but don't those
> type of updates want a reboot?


glibc, for CVE-2015-7547. It's a bug in getadddrinfo, which is what
most programs use for DNS resolution. For tails, however, it is
currently believed to be mitigated because DNS lookups go out over
SOCKS/Tor (please, someone correct me if I'm wrong there).

While glibc does need a reboot to be fully effective (any running
programs are vulnerable until they load the new libc on start), it
would help for any programs you launch going forward. In other words,
your desktop manager may still be vulnerable, but if you launch
Libreoffice after updating glibc you should be protected.

> i usually backup updates and reinstall them in new Tails
> session, but i want to know what is safe to d/l without
> waiting for a new Tails .ISO and without upgrading a usb.


You should always update Tails whenever updates are released rather
than updating packages by hand as you find out about them.

--
-Austin