Date: Wed, 28 Jan 2015 12:04:05 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: yunlian@...gle.com Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Hi, the german IT news webpage heise mentions this: back in April 2014 Chrome OS applied the patch: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/7738d06627941a2119ba15f3472320c5cecc7be6%5E!/#F0 The comit message clearly states they were aware of the vulnerability nature of this fix: "glibc: backport an nss overflow patch. This beckports a patch to fix a nss vulnerability inside glibc." I'm CC-ing the committer. Maybe we can shed some light on this. Two people having fixed this in different places without crying alarm - it's worrying. Here's the german article mentioning this: http://www.heise.de/newsticker/meldung/Ghost-Uralte-Luecke-in-Glibc-bedroht-Linux-Server-2530159.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.