[CentOS] New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

Wed Feb 17 13:40:38 UTC 2016
Corey Johnson <cjohnson at cniweb.net>

On 2/17/2016 8:01 AM, Johnny Hughes wrote:
> I normally just let the daily announce post to this list show what is
> available for updates, but there is a CVE (CVE-2015-7547) that needs a
> bit more attention which will be on today's announce list of updates.
>
> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is
> VERY important that all users update to these versions:  This update is
> rated as Critical by Red Hat, meaning that it is remotely exploitable
> under some circumstances.  Make sure this update works in your
> environments and update as soon as you can.
>
> CentOS-7:
> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>
> https://rhn.redhat.com/errata/RHSA-2016-0176.html
>
> CentOS-6:
> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>
> https://rhn.redhat.com/errata/RHSA-2016-0175.html
>
> These mitigate CVE-2015-7547:
> https://access.redhat.com/security/cve/CVE-2015-7547
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>
> Can't stress how important this update is .. here are a couple stories:
>
> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>
> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>
> Please note that the ONLY way this is tested to work is with ALL updates
> from CentOS-6 or CentOS-7 applied along with the glibc updates.  So a
> yum update with base and updates repo enabled is the ONLY tested
> scenario.  Did I say *ONLY* enough?
>
> Thanks,
> Johnny Hughes
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

I am trying to find conclusive info on whether pre glibc version 2.9
needs to be of concern.  I have some older CentOS-5 machines running
some older software, and they currently have glibc 2.5-123 installed. 
Some technical info i have read on this vulnerability states that the
issue was introduced in version 2.9.  But other less technical articles
mention that older version "could" be vulnerable.  Would appreciate any
comments from the community on this.

-- 
Corey A. Johnson