[arch-general] CVE-2015-0235: glibc / heap overflow in gethostbyname()

Ido Rosen ido at kernel.org
Tue Jan 27 19:37:40 UTC 2015

On Tue, Jan 27, 2015 at 12:25 PM, Levente Polyak <anthraxx at archlinux.org> wrote:
> On 01/27/2015 05:42 PM, Ido Rosen wrote:
>> Hi Allan & others,
>>   This is a pretty big remote vulnerability, with a big attack
>> surface.  I'm not sure if this is the right list to be sending it to,
>> but I'd suggest patching glibc right away.  I think RedHat's already
>> released an RHEL5 backported patch, and upstream has already patched
>> it (as of yesterday).  See the links below.
>> Ido
> Hey,
> This vulnerability does not affect arch (anymore), as we are already
> shipping glibc version 2.20-6 [0] where the upstream patch [1] is
> already included.
> You may want to write security related topics and discussions to the
> arch-security [2] ML rather then arch-general.
> There is already a topic [3] posted by Remi which contains clarification
> about CVE-2015-0235.

I CC'ed it to security@, but didn't know arch-security@ existed.  Thank you!

More information about the arch-general mailing list