[arch-general] CVE-2015-0235: glibc / heap overflow in gethostbyname()
Ido Rosen
ido at kernel.org
Tue Jan 27 16:42:41 UTC 2015
Hi Allan & others,
This is a pretty big remote vulnerability, with a big attack
surface. I'm not sure if this is the right list to be sending it to,
but I'd suggest patching glibc right away. I think RedHat's already
released an RHEL5 backported patch, and upstream has already patched
it (as of yesterday). See the links below.
Ido
glibc bug report:
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
Upstream patch:
https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391
RedHat bug:
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Blog post describing the vulnerability:
http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
HN Discussion:
https://news.ycombinator.com/item?id=8953545
Original report (afaict) in French:
http://www.frsag.org/pipermail/frsag/2015-January/005722.html
More information about the arch-general
mailing list