oss-security - Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo()

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 3 Oct 2023 15:39:44 -0400
From: Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-4806, CVE-2023-5156: glibc: potential
 use-after-free in getaddrinfo()

On Tue, Oct 3, 2023 at 3:31 PM Rodrigo Freire <rfreire@...hat.com> wrote:
>
> On Tue, Oct 3, 2023 at 4:18 PM Solar Designer <solar@...nwall.com> wrote:
> > Hi,
>
> Hello,
>
> <snip>
>
> > https://access.redhat.com/security/cve/CVE-2023-5156
> > Puzzlingly, the latter URL lists RHEL 9 as affected, even though I think
> > the original buggy fix hasn't yet made it into a RHEL 9 glibc update.
> > Maybe that's part of Red Hat's tracking of what's in their pipeline.
>
> The affected code was backported into RHEL9's glibc and it is affected.
> The fix is traversing our productization pipeline and we will ship
> when it's done.

To elaborate, none of the *released* versions of rhel-9 are affected
by it, but the RHEL process is using it to coordinate things in the
release pipeline.

Thanks,
Sid

-- 
https://gotplt.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.