On Sun, Apr 17, 2011 at 7:52 AM, Leonard den Ottolander leonard@den.ottolander.nl wrote:
Hi Akemi,
On Sat, 2011-04-16 at 18:18 -0700, Akemi Yagi wrote:
See also:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=3...
Please don't take this the wrong way, but not everybody reads the forums. Perhaps it is possible to give a heads up about such breakage via the CentOS general or announce mailing list before such a broken package is released into the wild? That would actually make it an advantage to swim down stream :-) .
Perhaps, I could have sent a similar warning to this mailing list (but not the announcement list which is restricted to core admins). My main focus was Forum users for which I work as a moderator.
I would like to advice everyone to avoid this update by adding exclude=glibc*2.5-58.el5_6.2 nscd*2.5-58.el5_6.2 to their updates channel config - added it to base just to be sure - until upstream releases a fix.
It should be noted that those who are not affected by the bug are advised to update glibc because it has 4 security fixes (some local, some remote prev escalation issues). For those who cannot update, there is a "better than nothing" solution. As detailed in the bugzilla entry, the patch causing the crash has been identified. So, a compromised solution is to build glibc without the bad patch. This way you get at least the other 3 security fixes (better than none). Such a version provided by Scientific Linux (for testing) seems to be working well from what I have seen.
I and others discussed this issue with Karanbir on the centos-devel IRC. We'll see if CentOS decide to offer the customized version of glibc (presumably in the testing repo).
Akemi