[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

Wed Feb 17 13:41:47 UTC 2016
Johnny Hughes <johnny at centos.org>

On 02/17/2016 07:08 AM, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show what
>> is available for updates, but there is a CVE (CVE-2015-7547) that
>> needs a bit more attention which will be on today's announce list
>> of updates.
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it
>> is VERY important that all users update to these versions:  This
>> update is rated as Critical by Red Hat, meaning that it is remotely
>> exploitable under some circumstances.  Make sure this update works
>> in your environments and update as soon as you can.
>> CentOS-7: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>  https://rhn.redhat.com/errata/RHSA-2016-0176.html
>> CentOS-6: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>  https://rhn.redhat.com/errata/RHSA-2016-0175.html
>> These mitigate CVE-2015-7547: 
>> https://access.redhat.com/security/cve/CVE-2015-7547
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>> Can't stress how important this update is .. here are a couple
>> stories:
>> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>  Please note that the ONLY way this is tested to work is with ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc
>> updates.  So a yum update with base and updates repo enabled is the
>> ONLY tested scenario.  Did I say *ONLY* enough?
>> Thanks, Johnny Hughes
> Hi Johnny,
> Thank you as always, Should I be rebooting servers to ensure that all
> services are using the new glibc?
> sorry for the rookie question, just need some clarification.

The easy answer is yes .. glibc requires so many things to be restarted,
that is the best bet.  Or certainly the easiest.

Note: in CentOS 7, there is also a kernel update which is rated as
Important .. so you should boot to that anyway:

Here is a good link to figure out what to restart if you don't want to


and there is this thread:

But generalyl, after a glibc update or a kernel update .. rebooting is
easiest and it ensures everything is protected.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160217/0d8fa402/attachment-0005.sig>