[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

Wed Feb 17 13:50:00 UTC 2016
Johnny Hughes <johnny at centos.org>

On 02/17/2016 07:40 AM, Corey Johnson wrote:
> 
> On 2/17/2016 8:01 AM, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show what is
>> available for updates, but there is a CVE (CVE-2015-7547) that needs a
>> bit more attention which will be on today's announce list of updates.
>>
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is
>> VERY important that all users update to these versions:  This update is
>> rated as Critical by Red Hat, meaning that it is remotely exploitable
>> under some circumstances.  Make sure this update works in your
>> environments and update as soon as you can.
>>
>> CentOS-7:
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>> https://rhn.redhat.com/errata/RHSA-2016-0176.html
>>
>> CentOS-6:
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>> https://rhn.redhat.com/errata/RHSA-2016-0175.html
>>
>> These mitigate CVE-2015-7547:
>> https://access.redhat.com/security/cve/CVE-2015-7547
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>>
>> Can't stress how important this update is .. here are a couple stories:
>>
>> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>> Please note that the ONLY way this is tested to work is with ALL updates
>> from CentOS-6 or CentOS-7 applied along with the glibc updates.  So a
>> yum update with base and updates repo enabled is the ONLY tested
>> scenario.  Did I say *ONLY* enough?

> I am trying to find conclusive info on whether pre glibc version 2.9
> needs to be of concern.  I have some older CentOS-5 machines running
> some older software, and they currently have glibc 2.5-123 installed. 
> Some technical info i have read on this vulnerability states that the
> issue was introduced in version 2.9.  But other less technical articles
> mention that older version "could" be vulnerable.  Would appreciate any
> comments from the community on this.

Red Hat says no:
https://access.redhat.com/security/cve/CVE-2015-7547

Is it possible they are wrong .. I guess, anything is possible.

You can test with this:

https://github.com/fjserna/CVE-2015-7547







-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160217/80eeabd9/attachment-0005.sig>