Hi Allan & others, This is a pretty big remote vulnerability, with a big attack surface. I'm not sure if this is the right list to be sending it to, but I'd suggest patching glibc right away. I think RedHat's already released an RHEL5 backported patch, and upstream has already patched it (as of yesterday). See the links below. Ido glibc bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=15014 Upstream patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 RedHat bug: https://rhn.redhat.com/errata/RHSA-2015-0090.html Blog post describing the vulnerability: http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/ HN Discussion: https://news.ycombinator.com/item?id=8953545 Original report (afaict) in French: http://www.frsag.org/pipermail/frsag/2015-January/005722.html
