On 02/17/2016 07:40 AM, Corey Johnson wrote: > > On 2/17/2016 8:01 AM, Johnny Hughes wrote: >> I normally just let the daily announce post to this list show what is >> available for updates, but there is a CVE (CVE-2015-7547) that needs a >> bit more attention which will be on today's announce list of updates. >> >> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is >> VERY important that all users update to these versions: This update is >> rated as Critical by Red Hat, meaning that it is remotely exploitable >> under some circumstances. Make sure this update works in your >> environments and update as soon as you can. >> >> CentOS-7: >> https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html >> >> https://rhn.redhat.com/errata/RHSA-2016-0176.html >> >> CentOS-6: >> https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html >> >> https://rhn.redhat.com/errata/RHSA-2016-0175.html >> >> These mitigate CVE-2015-7547: >> https://access.redhat.com/security/cve/CVE-2015-7547 >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1293532 >> >> Can't stress how important this update is .. here are a couple stories: >> >> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ >> >> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/ >> >> Please note that the ONLY way this is tested to work is with ALL updates >> from CentOS-6 or CentOS-7 applied along with the glibc updates. So a >> yum update with base and updates repo enabled is the ONLY tested >> scenario. Did I say *ONLY* enough? > I am trying to find conclusive info on whether pre glibc version 2.9 > needs to be of concern. I have some older CentOS-5 machines running > some older software, and they currently have glibc 2.5-123 installed. > Some technical info i have read on this vulnerability states that the > issue was introduced in version 2.9. But other less technical articles > mention that older version "could" be vulnerable. Would appreciate any > comments from the community on this. Red Hat says no: https://access.redhat.com/security/cve/CVE-2015-7547 Is it possible they are wrong .. I guess, anything is possible. You can test with this: https://github.com/fjserna/CVE-2015-7547
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
