[CentOS] CVE-2015-0235 - glibc gethostbyname

Tue Jan 27 20:22:37 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:
> On 28/01/15 04:47, Always Learning wrote:
>>
>> Saw this on the Exim List:-
>>
> <SNIP>
>>
>> I use Exim on C5 and C6 - should I be worried about Exim on C6 ?
>>
>
> upstream references:
> https://rhn.redhat.com/errata/RHSA-2015-0092.html

When I read this I read that it is fixed in
glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according
to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles
what is latest on public mirror I maintain, and I checked randomly a
couple of other mirrors - the same). If I read numbers correctly, we all
are one minor (very minor ;-) number behind RHEL.

> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
>
> Note that in the openwall.com URL you provided
> (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a
> simple program (in section 4 - Case Studies) to test whether a given
> machine's vulnerable.

And when I check the machine with
glibc-2.12-1.149.el6_6.4.x86_64
(fully updated CentOS 6) indeed the program from section 4 of openwall
page above says "vulnerable".

Am I the only one (read: an idiot ;-) or others have the same?

Thanks Peter!

Valeri

>
> I dunno what the EOL for C5 patches are, as I don't run it. But reading
> http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch
> for it at some stage, despite upstream not referencing their 5th edition
> in their notes.
>
> Cheers,
>
> Pete.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++