Security updates and glibc (related to latest CERT advisory)

[psp]

I, like any good sysadmin, am subscribed to CERT's advisory mailing list. I read through the latest one regarding the exploitable RPC XDR buffer overflow. (http://www.cert.org/advisories/CA-2002-25.html)

I decided to check my system. So I ran: emerge rsync ; emerge --pretend --update system. The system was up-to-date. I thought this a bit strange, so I had a look in the portage tree. My version of glibc was 2.2.5-r5, but the latest was 2.2.5-r7 (which has the patch applied). I thought: "Fair enough - I don't have any RPC services installed on the box, so this might be the reason." After an: emerge --pretend nfs-utils the command returned no indication that glibc would be updated.

Perhaps the error lies with the nfs-utils ebuild package? Should it's dependancy should be bumped to the latest version of glibc? Or perhaps, the default-1.0 profile should be updated (but this feels like overkill)?

Obviously, the easy option would be to emerge the latest version of glibc, nfs-utils and be done with it (not including static compiles). But my concern is for people that are not as vigilant.

Perhaps the larger question is: How does Gentoo, as a distribution, handle essential security concerns and advisories and what is the best way to stay current with all of Gentoo/GNU/Linux's security updates?

I must state that I have only been using Gentoo Linux for 2 weeks so far and I have been tinkering and prodding at the inner workings - to see how things are done. My current desktop machine is a Linux from Scratch box - so I like to know the how and why (naze nani) of my Linux boxes. If I have missed something obvious or newbie-ish I apologise.

[n0n]

Yeah, there's a very similar discussion going on about related issues here, and also some discussion on a bug in bugs.gentoo.org. It'd be nice to have a "security" set ("emerge --update security") which would query all installed packages instead of just what's in the /var/cache/edb/world file.