[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547
Fabian Arrotin
arrfab at centos.org
Wed Feb 17 13:36:39 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 17/02/16 14:08, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show
>> what is available for updates, but there is a CVE (CVE-2015-7547)
>> that needs a bit more attention which will be on today's announce
>> list of updates.
>>
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 ..
>> it is VERY important that all users update to these versions:
>> This update is rated as Critical by Red Hat, meaning that it is
>> remotely exploitable under some circumstances. Make sure this
>> update works in your environments and update as soon as you can.
>>
>> CentOS-7:
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>>
>>
https://rhn.redhat.com/errata/RHSA-2016-0176.html
>>
>> CentOS-6:
>> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>>
>>
https://rhn.redhat.com/errata/RHSA-2016-0175.html
>>
>> These mitigate CVE-2015-7547:
>> https://access.redhat.com/security/cve/CVE-2015-7547
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>>
>> Can't stress how important this update is .. here are a couple
>> stories:
>>
>> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>>
>>
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>>
>>
Please note that the ONLY way this is tested to work is with ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc
>> updates. So a yum update with base and updates repo enabled is
>> the ONLY tested scenario. Did I say *ONLY* enough?
>>
>> Thanks, Johnny Hughes
>
> Hi Johnny,
>
> Thank you as always, Should I be rebooting servers to ensure that
> all services are using the new glibc?
>
> sorry for the rookie question, just need some clarification.
>
> thanks
>
> Michael
>
It depends on your environment : it's adviced to restart the node, but
if you can't, you can list the service[s] that depend on libc and
(selectively) restart those (like sshd/httpd/postfix/...) on public
facing nodes :
lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t
Source : https://access.redhat.com/articles/2161461
- --
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlbEd2QACgkQnVkHo1a+xU53NwCbBLRA3/iNxzz5gcRukPrgqwUp
yMIAoJVvqPRoODZofoHqR7sbThC175BZ
=GSnH
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list