Hi, We are using CentOS 5.5 as a base OS for one of our products.The version of Glibc we are using was glibc-2.5-123.el5_11.1. We wanted to see whether this glibc is vulerable to CVE-2015-1781. I have gone through re-documentation & came across the following link https://access.redhat.com/security/cve/cve-2015-1781 In the link it is mentioned that, the CVE will not be fixed in Red-Hat 5 version. What does that mean? I mean, whether the RedHat 5 is vulnerable & fix is not available or RedHat 5 is not vulnerable, hence the fix is not given? Thanks for the info. -- Thanks & Regards, Venkat
On Wed, 25 Nov 2015 09:51:58 +0530 Venkateswara Rao Dokku wrote:> In the link it is mentioned that, the CVE will not be fixed in Red-Hat 5 > version. What does that mean? I mean, whether the RedHat 5 is vulnerable & > fix is not available or RedHat 5 is not vulnerable, hence the fix is not > given?Read what it says a little higher on that webpage, under the Statement heading: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
On Tue, Nov 24, 2015 at 10:41:42PM -0600, Frank Cox wrote:> On Wed, 25 Nov 2015 09:51:58 +0530 > Venkateswara Rao Dokku wrote: > > > In the link it is mentioned that, the CVE will not be fixed in Red-Hat 5 > > version. What does that mean? I mean, whether the RedHat 5 is vulnerable & > > fix is not available or RedHat 5 is not vulnerable, hence the fix is not > > given? > > Read what it says a little higher on that webpage, under the Statement heading: > > Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. >Also, it's worth mentioning that there's no such thing as CentOS 5.5 -- if you're running that, there are a large number of critical security fixes which are not present. If you pay for RHEL 5.5, then you'll have something much safer. With CentOS, you must stay with the tip to be reasonably secure. This is explained, somewhat confusingly, in https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11930867d6 -- greg