Saw this on the Exim List:-
From: Tony Finch <dot--at-- at dotat.at>
Subject: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable
via exim
Date: Tue, 27 Jan 2015 17:33:45 +0000
"The Exim mail server is exploitable remotely if configured to perform
extra security checks on the HELO and EHLO commands
("helo_verify_hosts"
or "helo_try_verify_hosts" option, or "verify = helo" ACL);
we developed
a reliable and fully-functional exploit that bypasses all existing
protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.
http://www.openwall.com/lists/oss-security/2015/01/27/9
---------------------------------
"- We identified a number of factors that mitigate the impact of this
bug. In particular, we discovered that it was fixed on May 21, 2013
(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
was not recognized as a security threat; as a result, most stable and
long-term-support distributions were left exposed (and still are):
Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
Ubuntu 12.04, for example."
-------------------------------------
I use Exim on C5 and C6 - should I be worried about Exim on C6 ?
--
Regards,
Paul.
England, EU. Je suis Charlie.
On 28/01/15 04:47, Always Learning wrote:> > Saw this on the Exim List:- ><SNIP>> > I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >upstream references: https://rhn.redhat.com/errata/RHSA-2015-0092.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235 Note that in the openwall.com URL you provided (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a simple program (in section 4 - Case Studies) to test whether a given machine's vulnerable. I dunno what the EOL for C5 patches are, as I don't run it. But reading http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch for it at some stage, despite upstream not referencing their 5th edition in their notes. Cheers, Pete.
On 28/01/15 06:58, Peter Lawler wrote:> despite upstream not referencing their 5th edition > in their notes. >Apologies for replying to myself on the list. Upstream referenced the bug in their 5th edition via a link in their a BZ, that's how I missed it from their Security Advisory page: https://rhn.redhat.com/errata/RHSA-2015-0090.html Cheers, Pete.
On Tue, January 27, 2015 1:58 pm, Peter Lawler wrote:> On 28/01/15 04:47, Always Learning wrote: >> >> Saw this on the Exim List:- >> > <SNIP> >> >> I use Exim on C5 and C6 - should I be worried about Exim on C6 ? >> > > upstream references: > https://rhn.redhat.com/errata/RHSA-2015-0092.htmlWhen I read this I read that it is fixed in glibc-2.12-1.149.el6_6.5.src.rpm (RHEL 6), on my CentOS 6 I have according to " rpm -qi glibc": glibc-2.12-1.149.el6_6.4.src.rpm (which resembles what is latest on public mirror I maintain, and I checked randomly a couple of other mirrors - the same). If I read numbers correctly, we all are one minor (very minor ;-) number behind RHEL.> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235 > > Note that in the openwall.com URL you provided > (http://www.openwall.com/lists/oss-security/2015/01/27/9 ) there is a > simple program (in section 4 - Case Studies) to test whether a given > machine's vulnerable.And when I check the machine with glibc-2.12-1.149.el6_6.4.x86_64 (fully updated CentOS 6) indeed the program from section 4 of openwall page above says "vulnerable". Am I the only one (read: an idiot ;-) or others have the same? Thanks Peter! Valeri> > I dunno what the EOL for C5 patches are, as I don't run it. But reading > http://wiki.centos.org/HowTos/EOL it'd seem that there may be a patch > for it at some stage, despite upstream not referencing their 5th edition > in their notes. > > Cheers, > > Pete. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++