[arch-general] CVE-2015-0235: glibc / heap overflow in gethostbyname()
Hi Allan & others, This is a pretty big remote vulnerability, with a big attack surface. I'm not sure if this is the right list to be sending it to, but I'd suggest patching glibc right away. I think RedHat's already released an RHEL5 backported patch, and upstream has already patched it (as of yesterday). See the links below. Ido glibc bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=15014 Upstream patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1... Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 RedHat bug: https://rhn.redhat.com/errata/RHSA-2015-0090.html Blog post describing the vulnerability: http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/ HN Discussion: https://news.ycombinator.com/item?id=8953545 Original report (afaict) in French: http://www.frsag.org/pipermail/frsag/2015-January/005722.html
On 01/27/2015 05:42 PM, Ido Rosen wrote:
Hi Allan & others, This is a pretty big remote vulnerability, with a big attack surface. I'm not sure if this is the right list to be sending it to, but I'd suggest patching glibc right away. I think RedHat's already released an RHEL5 backported patch, and upstream has already patched it (as of yesterday). See the links below.
Ido
Hey, This vulnerability does not affect arch (anymore), as we are already shipping glibc version 2.20-6 [0] where the upstream patch [1] is already included. You may want to write security related topics and discussions to the arch-security [2] ML rather then arch-general. There is already a topic [3] posted by Remi which contains clarification about CVE-2015-0235. cheers and thank you for your awareness, Levente [0] https://www.archlinux.org/packages/?name=glibc [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1... [2] https://lists.archlinux.org/listinfo/arch-security [3] https://lists.archlinux.org/pipermail/arch-security/2015-January/000221.html
On Tue, Jan 27, 2015 at 12:25 PM, Levente Polyak <anthraxx@archlinux.org> wrote:
On 01/27/2015 05:42 PM, Ido Rosen wrote:
Hi Allan & others, This is a pretty big remote vulnerability, with a big attack surface. I'm not sure if this is the right list to be sending it to, but I'd suggest patching glibc right away. I think RedHat's already released an RHEL5 backported patch, and upstream has already patched it (as of yesterday). See the links below.
Ido
Hey,
This vulnerability does not affect arch (anymore), as we are already shipping glibc version 2.20-6 [0] where the upstream patch [1] is already included. You may want to write security related topics and discussions to the arch-security [2] ML rather then arch-general. There is already a topic [3] posted by Remi which contains clarification about CVE-2015-0235.
I CC'ed it to security@, but didn't know arch-security@ existed. Thank you!
participants (2)
-
Ido Rosen
-
Levente Polyak