Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150128062209.GA29193@openwall.com>
Date: Wed, 28 Jan 2015 09:22:09 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] Owl glibc updates for CVE-2015-0235 (GHOST)

Hi,

Owl 3.1-stable and Owl-current have been updated to include a fix for
CVE-2015-0235 (GHOST) in their glibc packages.  There are new binary
builds of glibc in both of these branches, for i686 and x86_64.  These
may be downloaded from our FTP mirrors:

http://www.openwall.com/Owl/DOWNLOAD.shtml

(The Czech and Russian mirrors already have the new files at the moment;
others will retrieve them soon.)

The change log entry is:

2015/01/28	Package: glibc
SECURITY FIX	Severity: none to high, remote, active
Backported upstream's fix for a buffer overflow in gethostbyname*()
functions, which could be triggered via a crafted IP address argument.
Depending on the application that uses these functions, this
vulnerability could allow a local or a remote attacker to execute
arbitrary code.  Due to the analysis by Qualys (referenced below), it is
known that the issue could be exploited remotely via Exim (which we do
not include in Owl) or locally via clockdiff or procmail if these are
installed SUID/SGID or with filesystem capabilities (not the case on
Owl).  While there's no known security impact on Owl itself, Owl with
third-party software added (as many real-world installs have) may be
affected, with worst-case impact ranging up to a remote root compromise.
References:
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
https://sourceware.org/bugzilla/show_bug.cgi?id=15014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

We'd like to thank Qualys for identifying and reporting the
vulnerability, and for their thorough analysis of its impact.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.