[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

Wed Feb 17 13:41:47 UTC 2016
Johnny Hughes <johnny at centos.org>

On 02/17/2016 07:08 AM, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show what
>> is available for updates, but there is a CVE (CVE-2015-7547) that
>> needs a bit more attention which will be on today's announce list
>> of updates.
>>
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it
>> is VERY important that all users update to these versions:  This
>> update is rated as Critical by Red Hat, meaning that it is remotely
>> exploitable under some circumstances.  Make sure this update works
>> in your environments and update as soon as you can.
>>
>> CentOS-7: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>>  https://rhn.redhat.com/errata/RHSA-2016-0176.html
>>
>> CentOS-6: 
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>>  https://rhn.redhat.com/errata/RHSA-2016-0175.html
>>
>> These mitigate CVE-2015-7547: 
>> https://access.redhat.com/security/cve/CVE-2015-7547
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>>
>> Can't stress how important this update is .. here are a couple
>> stories:
>>
>> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>>  
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>>  Please note that the ONLY way this is tested to work is with ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc
>> updates.  So a yum update with base and updates repo enabled is the
>> ONLY tested scenario.  Did I say *ONLY* enough?
>>
>> Thanks, Johnny Hughes
> 
> Hi Johnny,
> 
> Thank you as always, Should I be rebooting servers to ensure that all
> services are using the new glibc?
> 
> sorry for the rookie question, just need some clarification.
> 

The easy answer is yes .. glibc requires so many things to be restarted,
that is the best bet.  Or certainly the easiest.

Note: in CentOS 7, there is also a kernel update which is rated as
Important .. so you should boot to that anyway:
https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html

Here is a good link to figure out what to restart if you don't want to
reboot:

https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/

and there is this thread:
http://markmail.org/message/dodinyrhwgey35mh

But generalyl, after a glibc update or a kernel update .. rebooting is
easiest and it ensures everything is protected.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160217/0d8fa402/attachment-0005.sig>