Date: Wed, 28 Jan 2015 09:22:09 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, owl-users@...ts.openwall.com Subject: Owl glibc updates for CVE-2015-0235 (GHOST) Hi, Owl 3.1-stable and Owl-current have been updated to include a fix for CVE-2015-0235 (GHOST) in their glibc packages. There are new binary builds of glibc in both of these branches, for i686 and x86_64. These may be downloaded from our FTP mirrors: http://www.openwall.com/Owl/DOWNLOAD.shtml (The Czech and Russian mirrors already have the new files at the moment; others will retrieve them soon.) The change log entry is: 2015/01/28 Package: glibc SECURITY FIX Severity: none to high, remote, active Backported upstream's fix for a buffer overflow in gethostbyname*() functions, which could be triggered via a crafted IP address argument. Depending on the application that uses these functions, this vulnerability could allow a local or a remote attacker to execute arbitrary code. Due to the analysis by Qualys (referenced below), it is known that the issue could be exploited remotely via Exim (which we do not include in Owl) or locally via clockdiff or procmail if these are installed SUID/SGID or with filesystem capabilities (not the case on Owl). While there's no known security impact on Owl itself, Owl with third-party software added (as many real-world installs have) may be affected, with worst-case impact ranging up to a remote root compromise. References: http://www.openwall.com/lists/oss-security/2015/01/27/9 https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability https://sourceware.org/bugzilla/show_bug.cgi?id=15014 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 We'd like to thank Qualys for identifying and reporting the vulnerability, and for their thorough analysis of its impact. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.