CVE-2015-0235 - glibc gethostbyname

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Saw this on the Exim List:-

From: 	Tony Finch <dot--at--@xxxxxxxx>
Subject: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable
via exim
Date: 	Tue, 27 Jan 2015 17:33:45 +0000


"The Exim mail server is exploitable remotely if configured to perform
extra security checks on the HELO and EHLO commands ("helo_verify_hosts"
or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed
a reliable and fully-functional exploit that bypasses all existing
protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.

http://www.openwall.com/lists/oss-security/2015/01/27/9

---------------------------------

"- We identified a number of factors that mitigate the impact of this
  bug. In particular, we discovered that it was fixed on May 21, 2013
  (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
  was not recognized as a security threat; as a result, most stable and
  long-term-support distributions were left exposed (and still are):
  Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
  Ubuntu 12.04, for example."

-------------------------------------

I use Exim on C5 and C6 - should I be worried about Exim on C6 ?



-- 
Regards,

Paul.
England, EU.      Je suis Charlie.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux