On Sun, Apr 17, 2011 at 7:52 AM, Leonard den Ottolander <leonard at den.ottolander.nl> wrote: > Hi Akemi, > > On Sat, 2011-04-16 at 18:18 -0700, Akemi Yagi wrote: >> See also: >> >> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=37 > > Please don't take this the wrong way, but not everybody reads the > forums. Perhaps it is possible to give a heads up about such breakage > via the CentOS general or announce mailing list before such a broken > package is released into the wild? That would actually make it an > advantage to swim down stream :-) . Perhaps, I could have sent a similar warning to this mailing list (but not the announcement list which is restricted to core admins). My main focus was Forum users for which I work as a moderator. > I would like to advice everyone to avoid this update by adding > exclude=glibc*2.5-58.el5_6.2 nscd*2.5-58.el5_6.2 > to their updates channel config - added it to base just to be sure - > until upstream releases a fix. It should be noted that those who are not affected by the bug are advised to update glibc because it has 4 security fixes (some local, some remote prev escalation issues). For those who cannot update, there is a "better than nothing" solution. As detailed in the bugzilla entry, the patch causing the crash has been identified. So, a compromised solution is to build glibc without the bad patch. This way you get at least the other 3 security fixes (better than none). Such a version provided by Scientific Linux (for testing) seems to be working well from what I have seen. I and others discussed this issue with Karanbir on the centos-devel IRC. We'll see if CentOS decide to offer the customized version of glibc (presumably in the testing repo). Akemi