Date: Wed, 28 Jan 2015 14:15:26 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) On 01/27/2015 11:35 PM, Florian Weimer wrote: > * Marek Kroemeke: > >> We just noticed CVE-2015-0235 , and we thought we will drop this one >> in - apologies for low quality , we didn't really have time yet to >> analyse it, but it seems to be related, so it makes sense to patch >> things once right ? > > It's not related, and we cannot patch it at the same time because > packages for the gethostbyname issue are already ready, they just have > to be released. (When we change critical system components, we also > need to be extra-careful with testing, which takes time.) > > Andreas Schwab fixed this in 2011: > > <https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7> > > If I'm not mistaken, this commit when into glibc 2.15. > > I have not yet found the corresponding glibc bug (if it exists). > > The bug only materializes if the getaddrinfo functions is called with > the AI_IDN flag, and if glibc has been compiled with libidn support > (but I haven't checked if you can switch that off these days). > MITRE, This is a new flaw, can you please assign a CVE id to this? https://bugzilla.redhat.com/show_bug.cgi?id=797096 Thanks! -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ