Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2015 09:22:09 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] Owl glibc updates for CVE-2015-0235 (GHOST)

Hi,

Owl 3.1-stable and Owl-current have been updated to include a fix for
CVE-2015-0235 (GHOST) in their glibc packages.  There are new binary
builds of glibc in both of these branches, for i686 and x86_64.  These
may be downloaded from our FTP mirrors:

http://www.openwall.com/Owl/DOWNLOAD.shtml

(The Czech and Russian mirrors already have the new files at the moment;
others will retrieve them soon.)

The change log entry is:

2015/01/28	Package: glibc
SECURITY FIX	Severity: none to high, remote, active
Backported upstream's fix for a buffer overflow in gethostbyname*()
functions, which could be triggered via a crafted IP address argument.
Depending on the application that uses these functions, this
vulnerability could allow a local or a remote attacker to execute
arbitrary code.  Due to the analysis by Qualys (referenced below), it is
known that the issue could be exploited remotely via Exim (which we do
not include in Owl) or locally via clockdiff or procmail if these are
installed SUID/SGID or with filesystem capabilities (not the case on
Owl).  While there's no known security impact on Owl itself, Owl with
third-party software added (as many real-world installs have) may be
affected, with worst-case impact ranging up to a remote root compromise.
References:
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

We'd like to thank Qualys for identifying and reporting the
vulnerability, and for their thorough analysis of its impact.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ