CentOS - Jun 2015 - Regarding CVE-2015-1781 vulnerability in Glibc

Thanks for the reply.

Where can we get the info regarding whether its fixed in CentOS 5 or not?

I did rpm -q --changelog <glibc> | grep <CVE>

but I dont find any info on this.

This might means 3 things.
1. The version is not affected so no fix
2. The version is affected, still no fix
3. Fix applied, but not shown in o/p

Thanks

On Fri, Jun 5, 2015 at 2:06 PM, John Tall <mjtallx at gmail.com> wrote:
> On Fri, Jun 5, 2015 at 10:26 AM, Venkateswara Rao Dokku
> <dvrao.584 at gmail.com> wrote:
> > Hi All,
> >
> > I am using CentOS 5.5 with gcc version 2.5.123.el5.
>
> Are you really on 5.5? You should consider updating to 5.11.
>
> > I just wanted to check whether the CVE-2015-1781 is fixed in the
current
> > version?
> >
> > How can I do that?
> >
> >
> > Right now I dont have access to that machine, so I wanted to check
> whether
> > its fixed online ( not via shell)?
>
> https://access.redhat.com/security/cve/CVE-2015-1781
>
> I don't know if CentOS has CVE information online. It's fixed in
RHEL
> 6 so CentOS 6 should have it too. No word on whether RHEL 5/CentOS 5
> is affected or not.
>
> John
>


-- 
Thanks & Regards,
Venkateswara Rao Dokku.

Latest version of Centos is 5.11, so you needs to update latest minor
version to get patches ..

--
Eero

2015-06-05 11:48 GMT+03:00 Venkateswara Rao Dokku <dvrao.584 at
gmail.com>:
> Thanks for the reply.
>
> Where can we get the info regarding whether its fixed in CentOS 5 or not?
>
> I did rpm -q --changelog <glibc> | grep <CVE>
>
> but I dont find any info on this.
>
> This might means 3 things.
> 1. The version is not affected so no fix
> 2. The version is affected, still no fix
> 3. Fix applied, but not shown in o/p
>
> Thanks
>
> On Fri, Jun 5, 2015 at 2:06 PM, John Tall <mjtallx at gmail.com>
wrote:
>
> > On Fri, Jun 5, 2015 at 10:26 AM, Venkateswara Rao Dokku
> > <dvrao.584 at gmail.com> wrote:
> > > Hi All,
> > >
> > > I am using CentOS 5.5 with gcc version 2.5.123.el5.
> >
> > Are you really on 5.5? You should consider updating to 5.11.
> >
> > > I just wanted to check whether the CVE-2015-1781 is fixed in the
> current
> > > version?
> > >
> > > How can I do that?
> > >
> > >
> > > Right now I dont have access to that machine, so I wanted to
check
> > whether
> > > its fixed online ( not via shell)?
> >
> > https://access.redhat.com/security/cve/CVE-2015-1781
> >
> > I don't know if CentOS has CVE information online. It's fixed
in RHEL
> > 6 so CentOS 6 should have it too. No word on whether RHEL 5/CentOS 5
> > is affected or not.
> >
> > John
> >
>
>
>
> --
> Thanks & Regards,
> Venkateswara Rao Dokku.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On Fri, Jun 5, 2015 at 10:48 AM, Venkateswara Rao Dokku
<dvrao.584 at gmail.com> wrote:
> Thanks for the reply.
>
> Where can we get the info regarding whether its fixed in CentOS 5 or not?
>
> I did rpm -q --changelog <glibc> | grep <CVE>
>
> but I dont find any info on this.
>
> This might means 3 things.
> 1. The version is not affected so no fix
> 2. The version is affected, still no fix
> 3. Fix applied, but not shown in o/p
>
> Thanks
We don't know. Red Hat has only mentioned RHEL 6. When vulnerabilities
are found in CentOS 5 which they consider not be important enough to
fix they usually mention that in the errata.

According to upstream the bug was introduced in glibc 2.6 so if CentOS
5 has 2.5 then it might be just enough too old.
https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Not affected so no fix sounds most plausible.

John

Unless there's more information the best way to find out would be to
download the SRPM and check the source code.

Many other security issues affect *unpatched* Centos 5.5 version. Some of
very critical too ..

--
Eero

2015-06-05 11:58 GMT+03:00 John Tall <mjtallx at gmail.com>:
> On Fri, Jun 5, 2015 at 10:48 AM, Venkateswara Rao Dokku
> <dvrao.584 at gmail.com> wrote:
> > Thanks for the reply.
> >
> > Where can we get the info regarding whether its fixed in CentOS 5 or
not?
> >
> > I did rpm -q --changelog <glibc> | grep <CVE>
> >
> > but I dont find any info on this.
> >
> > This might means 3 things.
> > 1. The version is not affected so no fix
> > 2. The version is affected, still no fix
> > 3. Fix applied, but not shown in o/p
> >
> > Thanks
>
> We don't know. Red Hat has only mentioned RHEL 6. When vulnerabilities
> are found in CentOS 5 which they consider not be important enough to
> fix they usually mention that in the errata.
>
> According to upstream the bug was introduced in glibc 2.6 so if CentOS
> 5 has 2.5 then it might be just enough too old.
> https://sourceware.org/bugzilla/show_bug.cgi?id=18287
>
> Not affected so no fix sounds most plausible.
>
> John
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>