Saw this on the Exim List:-
From: Tony Finch dot--at--@dotat.at Subject: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim Date: Tue, 27 Jan 2015 17:33:45 +0000
"The Exim mail server is exploitable remotely if configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed a reliable and fully-functional exploit that bypasses all existing protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.
http://www.openwall.com/lists/oss-security/2015/01/27/9
---------------------------------
"- We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example."
-------------------------------------
I use Exim on C5 and C6 - should I be worried about Exim on C6 ?
On 28/01/15 04:47, Always Learning wrote:
Saw this on the Exim List:-
<SNIP>
I use Exim on C5 and C6 - should I be worried about Exim on C6 ?
upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Note that in the openwall.com URL you provided (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a simple program (in section 4 - Case Studies) to test whether a given machine's vulnerable.
I dunno what the EOL for C5 patches are, as I don't run it. But reading http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch for it at some stage, despite upstream not referencing their 5th edition in their notes.
Cheers,
Pete.
On 28/01/15 06:58, Peter Lawler wrote:
despite upstream not referencing their 5th edition in their notes.
Apologies for replying to myself on the list.
Upstream referenced the bug in their 5th edition via a link in their a BZ, that's how I missed it from their Security Advisory page:
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Cheers,
Pete.
On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:
On 28/01/15 04:47, Always Learning wrote:
Saw this on the Exim List:-
<SNIP> > > I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >
upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html
When I read this I read that it is fixed in glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles what is latest on public mirror I maintain, and I checked randomly a couple of other mirrors - the same). If I read numbers correctly, we all are one minor (very minor ;-) number behind RHEL.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Note that in the openwall.com URL you provided (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a simple program (in section 4 - Case Studies) to test whether a given machine's vulnerable.
And when I check the machine with glibc-2.12-1.149.el6_6.4.x86_64 (fully updated CentOS 6) indeed the program from section 4 of openwall page above says "vulnerable".
Am I the only one (read: an idiot ;-) or others have the same?
Thanks Peter!
Valeri
I dunno what the EOL for C5 patches are, as I don't run it. But reading http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch for it at some stage, despite upstream not referencing their 5th edition in their notes.
Cheers,
Pete.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Packages are being built for CentOS 5, 6 & 7 at the moment: https://twitter.com/CentOS/status/560128242682966017 & https://twitter.com/CentOS/status/560138182441070592 On 27 January 2015 at 20:22, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:
On 28/01/15 04:47, Always Learning wrote:
Saw this on the Exim List:-
<SNIP> > > I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >
upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html
When I read this I read that it is fixed in glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles what is latest on public mirror I maintain, and I checked randomly a couple of other mirrors - the same). If I read numbers correctly, we all are one minor (very minor ;-) number behind RHEL.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Note that in the openwall.com URL you provided (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a simple program (in section 4 - Case Studies) to test whether a given machine's vulnerable.
And when I check the machine with glibc-2.12-1.149.el6_6.4.x86_64 (fully updated CentOS 6) indeed the program from section 4 of openwall page above says "vulnerable".
Am I the only one (read: an idiot ;-) or others have the same?
Thanks Peter!
Valeri
I dunno what the EOL for C5 patches are, as I don't run it. But reading http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch for it at some stage, despite upstream not referencing their 5th edition in their notes.
Cheers,
Pete.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 28/01/15 07:30, Cian Mc Govern wrote:
Packages are being built for CentOS 5, 6 & 7 at the moment: https://twitter.com/CentOS/status/560128242682966017 & https://twitter.com/CentOS/status/560138182441070592
Thanks Cian :)
Pete.
On 01/27/2015 12:22 PM, Valeri Galtsev wrote:
On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:
On 28/01/15 04:47, Always Learning wrote:
Saw this on the Exim List:-
<SNIP> > > I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >
upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html
When I read this I read that it is fixed in glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles what is latest on public mirror I maintain, and I checked randomly a couple of other mirrors - the same). If I read numbers correctly, we all are one minor (very minor ;-) number behind RHEL.
The RHN Errata that addresses this issue, RHSA-2015:0092-01, was sent just this morning and not even all the RHN repos makes the update available yet.
I don't think it's unreasonable to give the CentOS people a few hours to catch up ;-)
-Thomas
On Tue, January 27, 2015 2:35 pm, Thomas Eriksson wrote:
On 01/27/2015 12:22 PM, Valeri Galtsev wrote:
On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:
On 28/01/15 04:47, Always Learning wrote:
Saw this on the Exim List:-
<SNIP> > > I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >
upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html
When I read this I read that it is fixed in glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles what is latest on public mirror I maintain, and I checked randomly a couple of other mirrors - the same). If I read numbers correctly, we all are one minor (very minor ;-) number behind RHEL.
The RHN Errata that addresses this issue, RHSA-2015:0092-01, was sent just this morning and not even all the RHN repos makes the update available yet.
I don't think it's unreasonable to give the CentOS people a few hours to catch up ;-)
Certainly, yes! I did manage to read numbers in package names, but I apparently failed to read dates: I had an impression that ....6.5... is from beginning of January ;-) My apologies!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hi,
For reasons which are too tiresome to bore you all with, I have an obligation to look after a suite of legacy CentOS 4.x systems which cannot be migrated upwards.
I note on https://access.redhat.com/articles/1332213 the following comment from a RHN person:
We are currently working on and testing errata for RHEL 4, we will post an update for it as soon as it's ready. Thank you for your patience!
Is there *any* prospect of updated glibc packages for CentOS 4.x being made available?
Cheers S.
----- Original Message -----
From: "Simon Banton" centos@web.org.uk To: "CentOS mailing list" centos@centos.org Sent: Wednesday, January 28, 2015 6:10:34 AM Subject: Re: [CentOS] CVE-2015-0235 - glibc gethostbyname
Hi,
For reasons which are too tiresome to bore you all with, I have an obligation to look after a suite of legacy CentOS 4.x systems which cannot be migrated upwards.
I note on https://access.redhat.com/articles/1332213 the following comment from a RHN person:
We are currently working on and testing errata for RHEL 4, we will post an update for it as soon as it's ready. Thank you for your patience!
Is there *any* prospect of updated glibc packages for CentOS 4.x being made available?
Cheers S.
Although I hate Oracle with a fury, one good thing is that they put all the updates they rebuild for their RHEL clone in a publicly viewable site. I'm guessing they pay Redhat for extended support on end of life RHEL4 to get access to the source rpms. I learned about this from another list member back when the bash shell shock exploit hit.
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/
David Miller.
On Wed, January 28, 2015 5:09 pm, David C. Miller wrote:
----- Original Message -----
From: "Simon Banton" centos@web.org.uk To: "CentOS mailing list" centos@centos.org Sent: Wednesday, January 28, 2015 6:10:34 AM Subject: Re: [CentOS] CVE-2015-0235 - glibc gethostbyname
Hi,
For reasons which are too tiresome to bore you all with, I have an obligation to look after a suite of legacy CentOS 4.x systems which cannot be migrated upwards.
I note on https://access.redhat.com/articles/1332213 the following comment from a RHN person:
We are currently working on and testing errata for RHEL 4, we will post an update for it as soon as it's ready. Thank you for your patience!
Is there *any* prospect of updated glibc packages for CentOS 4.x being made available?
Cheers S.
Although I hate Oracle with a fury, one good thing is that they put all the updates they rebuild for their RHEL clone in a publicly viewable site.
The just follow what is written in GPL license. And so does RedHat (and I respect RedHat for always meticulously obeying the requiremetns of GPL - at least that is my observation for about one a a half decades)
Valeri
I'm guessing they pay Redhat for extended support on end of life RHEL4 to get access to the source rpms. I learned about this from another list member back when the bash shell shock exploit hit.
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/
David Miller. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
At 15:09 -0800 28/1/15, David C. Miller wrote:
Although I hate Oracle with a fury, one good thing is that they put all the updates they rebuild for their RHEL clone in a publicly viewable site. I'm guessing they pay Redhat for extended support on end of life RHEL4 to get access to the source rpms. I learned about this from another list member back when the bash shell shock exploit hit.
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/
Thanks David, I wasn't aware of that resource.
Regards S.