Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jan 2015 21:43:46 -0500
From: Daniel Kahn Gillmor <>
To: Hanno Böck <>,
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Thu 2015-01-29 19:00:35 -0500, Hanno Böck wrote:
> As promised, I wrote down my lengthy thoughts in a blog post:

thanks for this writeup, Hanno.  you wrote:

>> It would be an interesting (and time consuming) project to take a
>> package like PHP and check for all the security vulnerabilities whether
>> they are fixed in the latest packages in Debian Squeeze/Wheezy, all Red
>> Hat Enterprise versions and other long term support systems.

I don't know about RHEL, but Debian's security tracker does actually try
to do this, and to coordinate it with the CVEs.  For example:

It ain't pretty, but it's there.  If you (or anyone) is interested in
working on this sort of tracker, or integrating between this and other
trackers, please talk to the debian security team:



Download attachment "signature.asc" of type "application/pgp-signature" (949 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ