Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2015 14:15:26 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On 01/27/2015 11:35 PM, Florian Weimer wrote:
> * Marek Kroemeke:
> 
>> We just noticed CVE-2015-0235 , and we thought we will drop this one
>> in - apologies for low quality , we didn't really have time yet to
>> analyse it, but it seems to be related, so it makes sense to patch
>> things once right ?
> 
> It's not related, and we cannot patch it at the same time because
> packages for the gethostbyname issue are already ready, they just have
> to be released.  (When we change critical system components, we also
> need to be extra-careful with testing, which takes time.)
> 
> Andreas Schwab fixed this in 2011:
> 
>   <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7>
> 
> If I'm not mistaken, this commit when into glibc 2.15.
> 
> I have not yet found the corresponding glibc bug (if it exists).
> 
> The bug only materializes if the getaddrinfo functions is called with
> the AI_IDN flag, and if glibc has been compiled with libidn support
> (but I haven't checked if you can switch that off these days).
> 

MITRE,

This is a new flaw, can you please assign a CVE id to this?

https://bugzilla.redhat.com/show_bug.cgi?id=797096

Thanks!


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ