On 02/17/2016 07:08 AM, Michael H wrote: > On 17/02/16 13:01, Johnny Hughes wrote: >> I normally just let the daily announce post to this list show what >> is available for updates, but there is a CVE (CVE-2015-7547) that >> needs a bit more attention which will be on today's announce list >> of updates. >> >> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it >> is VERY important that all users update to these versions: This >> update is rated as Critical by Red Hat, meaning that it is remotely >> exploitable under some circumstances. Make sure this update works >> in your environments and update as soon as you can. >> >> CentOS-7: >> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html >> >> https://rhn.redhat.com/errata/RHSA-2016-0176.html >> >> CentOS-6: >> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html >> >> https://rhn.redhat.com/errata/RHSA-2016-0175.html >> >> These mitigate CVE-2015-7547: >> https://access.redhat.com/security/cve/CVE-2015-7547 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1293532 >> >> Can't stress how important this update is .. here are a couple >> stories: >> >> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ >> >> >> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/ >> >> Please note that the ONLY way this is tested to work is with ALL >> updates from CentOS-6 or CentOS-7 applied along with the glibc >> updates. So a yum update with base and updates repo enabled is the >> ONLY tested scenario. Did I say *ONLY* enough? >> >> Thanks, Johnny Hughes > > Hi Johnny, > > Thank you as always, Should I be rebooting servers to ensure that all > services are using the new glibc? > > sorry for the rookie question, just need some clarification. > The easy answer is yes .. glibc requires so many things to be restarted, that is the best bet. Or certainly the easiest. Note: in CentOS 7, there is also a kernel update which is rated as Important .. so you should boot to that anyway: https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html Here is a good link to figure out what to restart if you don't want to reboot: https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/ and there is this thread: http://markmail.org/message/dodinyrhwgey35mh But generalyl, after a glibc update or a kernel update .. rebooting is easiest and it ensures everything is protected. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160217/0d8fa402/attachment-0004.sig>