[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

Wed Feb 17 13:36:39 UTC 2016
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/02/16 14:08, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show
>> what is available for updates, but there is a CVE (CVE-2015-7547)
>> that needs a bit more attention which will be on today's announce
>> list of updates.
>> 
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 ..
>> it is VERY important that all users update to these versions:
>> This update is rated as Critical by Red Hat, meaning that it is
>> remotely exploitable under some circumstances.  Make sure this
>> update works in your environments and update as soon as you can.
>> 
>> CentOS-7: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>>
>> 
https://rhn.redhat.com/errata/RHSA-2016-0176.html
>> 
>> CentOS-6: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>>
>> 
https://rhn.redhat.com/errata/RHSA-2016-0175.html
>> 
>> These mitigate CVE-2015-7547: 
>> https://access.redhat.com/security/cve/CVE-2015-7547
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>> 
>> Can't stress how important this update is .. here are a couple 
>> stories:
>> 
>> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>>
>>  
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>>
>> 
Please note that the ONLY way this is tested to work is with ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc 
>> updates.  So a yum update with base and updates repo enabled is
>> the ONLY tested scenario.  Did I say *ONLY* enough?
>> 
>> Thanks, Johnny Hughes
> 
> Hi Johnny,
> 
> Thank you as always, Should I be rebooting servers to ensure that
> all services are using the new glibc?
> 
> sorry for the rookie question, just need some clarification.
> 
> thanks
> 
> Michael
> 

It depends on your environment : it's adviced to restart the node, but
if you can't, you can list the service[s] that depend on libc and
(selectively) restart those (like sshd/httpd/postfix/...) on public
facing nodes :

lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

Source : https://access.redhat.com/articles/2161461

- -- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlbEd2QACgkQnVkHo1a+xU53NwCbBLRA3/iNxzz5gcRukPrgqwUp
yMIAoJVvqPRoODZofoHqR7sbThC175BZ
=GSnH
-----END PGP SIGNATURE-----