Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Jan 2015 14:15:26 +0530
From: Huzaifa Sidhpurwala <>
        Mitre CVE assign department <>
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On 01/27/2015 11:35 PM, Florian Weimer wrote:
> * Marek Kroemeke:
>> We just noticed CVE-2015-0235 , and we thought we will drop this one
>> in - apologies for low quality , we didn't really have time yet to
>> analyse it, but it seems to be related, so it makes sense to patch
>> things once right ?
> It's not related, and we cannot patch it at the same time because
> packages for the gethostbyname issue are already ready, they just have
> to be released.  (When we change critical system components, we also
> need to be extra-careful with testing, which takes time.)
> Andreas Schwab fixed this in 2011:
>   <;a=commitdiff;h=2e96f1c7>
> If I'm not mistaken, this commit when into glibc 2.15.
> I have not yet found the corresponding glibc bug (if it exists).
> The bug only materializes if the getaddrinfo functions is called with
> the AI_IDN flag, and if glibc has been compiled with libidn support
> (but I haven't checked if you can switch that off these days).


This is a new flaw, can you please assign a CVE id to this?


Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ