HEADSUP - CVE 2015-023 remote code execution in glibc

All of lore.kernel.org
 help / color / mirror / Atom feed

* HEADSUP - CVE 2015-023 remote code execution in glibc
@ 2015-01-28 11:17 Damian, Alexandru
  2015-01-28 11:20 ` Burton, Ross
  2015-01-28 16:03 ` akuster
  0 siblings, 2 replies; 5+ messages in thread
From: Damian, Alexandru @ 2015-01-28 11:17 UTC (permalink / raw)
  To: Yocto Project Discussion

[-- Attachment #1: Type: text/plain, Size: 250 bytes --]

More details

http://www.openwall.com/lists/oss-security/2015/01/27/9

redhat bug and patch

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

Do we need to open a bug to track this ?


-- 
Alex Damian
Yocto Project
SSG / OTC

[-- Attachment #2: Type: text/html, Size: 1271 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HEADSUP - CVE 2015-023 remote code execution in glibc
  2015-01-28 11:17 HEADSUP - CVE 2015-023 remote code execution in glibc Damian, Alexandru
@ 2015-01-28 11:20 ` Burton, Ross
  2015-01-28 11:29   ` Paul Eggleton
  2015-01-28 16:03 ` akuster
  1 sibling, 1 reply; 5+ messages in thread
From: Burton, Ross @ 2015-01-28 11:20 UTC (permalink / raw)
  To: Damian, Alexandru; +Cc: Yocto Project Discussion

[-- Attachment #1: Type: text/plain, Size: 219 bytes --]

On 28 January 2015 at 11:17, Damian, Alexandru <alexandru.damian@intel.com>
wrote:

> Do we need to open a bug to track this ?
>

Probably for the best to ensure it goes into all the branches we support.

Ross

[-- Attachment #2: Type: text/html, Size: 732 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HEADSUP - CVE 2015-023 remote code execution in glibc
  2015-01-28 11:20 ` Burton, Ross
@ 2015-01-28 11:29   ` Paul Eggleton
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2015-01-28 11:29 UTC (permalink / raw)
  To: Burton, Ross, Damian, Alexandru; +Cc: yocto

On Wednesday 28 January 2015 11:20:27 Burton, Ross wrote:
> On 28 January 2015 at 11:17, Damian, Alexandru <alexandru.damian@intel.com>
> wrote:
> > Do we need to open a bug to track this ?
> 
> Probably for the best to ensure it goes into all the branches we support.

FYI, none of the branches we still officially support use (e)glibc older than 
2.18, which is where the fix went in upstream; even dora that just went out of 
support has 2.18 as the default (2.17 is included though).

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HEADSUP - CVE 2015-023 remote code execution in glibc
  2015-01-28 11:17 HEADSUP - CVE 2015-023 remote code execution in glibc Damian, Alexandru
  2015-01-28 11:20 ` Burton, Ross
@ 2015-01-28 16:03 ` akuster
  2015-01-29 10:06   ` Sona Sarmadi
  1 sibling, 1 reply; 5+ messages in thread
From: akuster @ 2015-01-28 16:03 UTC (permalink / raw)
  To: Damian, Alexandru, Yocto Project Discussion


Alexandr,


On 01/28/2015 03:17 AM, Damian, Alexandru wrote:
> More details
>
> http://www.openwall.com/lists/oss-security/2015/01/27/9
>
> redhat bug and patch
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
>
> Do we need to open a bug to track this ?

  I am working on patches already. if you opened a bug, please send me 
the #.

- Armin
>
>
> --
> Alex Damian
> Yocto Project
> SSG / OTC
>
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: HEADSUP - CVE 2015-023 remote code execution in glibc
  2015-01-28 16:03 ` akuster
@ 2015-01-29 10:06   ` Sona Sarmadi
  0 siblings, 0 replies; 5+ messages in thread
From: Sona Sarmadi @ 2015-01-29 10:06 UTC (permalink / raw)
  To: akuster, Damian, Alexandru; +Cc: Yocto Project Discussion


> Subject: Re: [yocto] HEADSUP - CVE 2015-023 remote code execution in glibc
> Alexandr,
> On 01/28/2015 03:17 AM, Damian, Alexandru wrote:
>> More details
>>
>>http://www.openwall.com/lists/oss-security/2015/01/27/9
>>
>> redhat bug and patch
>>
>>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
>>
>> Do we need to open a bug to track this ?
>    I am working on patches already. if you opened a bug, please send me the #.
> - Armin

Hi guys,

I opened a bug for this yesterday, (Bug 7258 - glibc: __nss_hostname_digits_dots() heap-based buffer overflow (CVE-2015-0235)) but closed it since this doesn't affect us.
 
There is another glibc issue (CVE-2013-7423?) being discussed,  I think this is also fixed in 2.20.

<solardiz> glibc "getaddrinfo() writes DNS queries to random file descriptors under high load" https://sourceware.org/bugzilla/show_bug.cgi?id=15946 "Fixed in 2.20"

//Sona


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-01-29 10:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-28 11:17 HEADSUP - CVE 2015-023 remote code execution in glibc Damian, Alexandru
2015-01-28 11:20 ` Burton, Ross
2015-01-28 11:29   ` Paul Eggleton
2015-01-28 16:03 ` akuster
2015-01-29 10:06   ` Sona Sarmadi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.