[arch-general] CVE-2015-0235: glibc / heap overflow in gethostbyname()

Levente Polyak anthraxx at archlinux.org
Tue Jan 27 17:25:11 UTC 2015


On 01/27/2015 05:42 PM, Ido Rosen wrote:
> Hi Allan & others,
>   This is a pretty big remote vulnerability, with a big attack
> surface.  I'm not sure if this is the right list to be sending it to,
> but I'd suggest patching glibc right away.  I think RedHat's already
> released an RHEL5 backported patch, and upstream has already patched
> it (as of yesterday).  See the links below.
> 
> Ido

Hey,

This vulnerability does not affect arch (anymore), as we are already
shipping glibc version 2.20-6 [0] where the upstream patch [1] is
already included.
You may want to write security related topics and discussions to the
arch-security [2] ML rather then arch-general.
There is already a topic [3] posted by Remi which contains clarification
about CVE-2015-0235.

cheers and thank you for your awareness,
Levente

[0] https://www.archlinux.org/packages/?name=glibc
[1]
https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
[2] https://lists.archlinux.org/listinfo/arch-security
[3]
https://lists.archlinux.org/pipermail/arch-security/2015-January/000221.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150127/f6671f47/attachment.asc>


More information about the arch-general mailing list