Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 28 Jan 2015 12:04:05 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: yunlian@...gle.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc
 (CVE-2015-0235)

Hi,

the german IT news webpage heise mentions this: back in April 2014
Chrome OS applied the patch:
https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/7738d06627941a2119ba15f3472320c5cecc7be6%5E!/#F0

The comit message clearly states they were aware of the vulnerability
nature of this fix:
"glibc: backport an nss overflow patch.

This beckports a patch to fix a nss vulnerability inside glibc."

I'm CC-ing the committer. Maybe we can shed some light on this.

Two people having fixed this in different places without crying alarm -
it's worrying.

Here's the german article mentioning this:
http://www.heise.de/newsticker/meldung/Ghost-Uralte-Luecke-in-Glibc-bedroht-Linux-Server-2530159.html

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.