CentOS - Feb 2016 - New glibc for CentOS-6 and CentOS-7 and CVE-2015-7547

I normally just let the daily announce post to this list show what is
available for updates, but there is a CVE (CVE-2015-7547) that needs a
bit more attention which will be on today's announce list of updates.

We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is
VERY important that all users update to these versions:  This update is
rated as Critical by Red Hat, meaning that it is remotely exploitable
under some circumstances.  Make sure this update works in your
environments and update as soon as you can.

CentOS-7:
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html

https://rhn.redhat.com/errata/RHSA-2016-0176.html

CentOS-6:
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html

https://rhn.redhat.com/errata/RHSA-2016-0175.html

These mitigate CVE-2015-7547:
https://access.redhat.com/security/cve/CVE-2015-7547

https://bugzilla.redhat.com/show_bug.cgi?id=1293532

Can't stress how important this update is .. here are a couple stories:

http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/

Please note that the ONLY way this is tested to work is with ALL updates
from CentOS-6 or CentOS-7 applied along with the glibc updates.  So a
yum update with base and updates repo enabled is the ONLY tested
scenario.  Did I say *ONLY* enough?

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20160217/b9a18952/attachment-0001.sig>

On 17/02/16 13:01, Johnny Hughes wrote:
> I normally just let the daily announce post to this list show what
> is available for updates, but there is a CVE (CVE-2015-7547) that
> needs a bit more attention which will be on today's announce list
> of updates.
> 
> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it
> is VERY important that all users update to these versions:  This
> update is rated as Critical by Red Hat, meaning that it is remotely
> exploitable under some circumstances.  Make sure this update works
> in your environments and update as soon as you can.
> 
> CentOS-7: 
>
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>
>  https://rhn.redhat.com/errata/RHSA-2016-0176.html
> 
> CentOS-6: 
>
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>
>  https://rhn.redhat.com/errata/RHSA-2016-0175.html
> 
> These mitigate CVE-2015-7547: 
> https://access.redhat.com/security/cve/CVE-2015-7547
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
> 
> Can't stress how important this update is .. here are a couple
> stories:
> 
>
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>
>  
> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>
>  Please note that the ONLY way this is tested to work is with ALL
> updates from CentOS-6 or CentOS-7 applied along with the glibc
> updates.  So a yum update with base and updates repo enabled is the
> ONLY tested scenario.  Did I say *ONLY* enough?
> 
> Thanks, Johnny Hughes
Hi Johnny,

Thank you as always, Should I be rebooting servers to ensure that all
services are using the new glibc?

sorry for the rookie question, just need some clarification.

thanks

Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/02/16 14:08, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show
>> what is available for updates, but there is a CVE (CVE-2015-7547)
>> that needs a bit more attention which will be on today's announce
>> list of updates.
>> 
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 ..
>> it is VERY important that all users update to these versions:
>> This update is rated as Critical by Red Hat, meaning that it is
>> remotely exploitable under some circumstances.  Make sure this
>> update works in your environments and update as soon as you can.
>> 
>> CentOS-7: 
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>>
>> 
https://rhn.redhat.com/errata/RHSA-2016-0176.html
>> 
>> CentOS-6: 
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>>
>> 
https://rhn.redhat.com/errata/RHSA-2016-0175.html
>> 
>> These mitigate CVE-2015-7547: 
>> https://access.redhat.com/security/cve/CVE-2015-7547
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>> 
>> Can't stress how important this update is .. here are a couple 
>> stories:
>> 
>>
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>>
>>  
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>>
>> 
Please note that the ONLY way this is tested to work is with
ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc 
>> updates.  So a yum update with base and updates repo enabled is
>> the ONLY tested scenario.  Did I say *ONLY* enough?
>> 
>> Thanks, Johnny Hughes
> 
> Hi Johnny,
> 
> Thank you as always, Should I be rebooting servers to ensure that
> all services are using the new glibc?
> 
> sorry for the rookie question, just need some clarification.
> 
> thanks
> 
> Michael
> 
It depends on your environment : it's adviced to restart the node, but
if you can't, you can list the service[s] that depend on libc and
(selectively) restart those (like sshd/httpd/postfix/...) on public
facing nodes :

lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column
-t

Source : https://access.redhat.com/articles/2161461

- -- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlbEd2QACgkQnVkHo1a+xU53NwCbBLRA3/iNxzz5gcRukPrgqwUp
yMIAoJVvqPRoODZofoHqR7sbThC175BZ
=GSnH
-----END PGP SIGNATURE-----

On 2/17/2016 8:01 AM, Johnny Hughes wrote:
> I normally just let the daily announce post to this list show what is
> available for updates, but there is a CVE (CVE-2015-7547) that needs a
> bit more attention which will be on today's announce list of updates.
>
> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is
> VERY important that all users update to these versions:  This update is
> rated as Critical by Red Hat, meaning that it is remotely exploitable
> under some circumstances.  Make sure this update works in your
> environments and update as soon as you can.
>
> CentOS-7:
>
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>
> https://rhn.redhat.com/errata/RHSA-2016-0176.html
>
> CentOS-6:
>
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>
> https://rhn.redhat.com/errata/RHSA-2016-0175.html
>
> These mitigate CVE-2015-7547:
> https://access.redhat.com/security/cve/CVE-2015-7547
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>
> Can't stress how important this update is .. here are a couple stories:
>
>
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>
> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>
> Please note that the ONLY way this is tested to work is with ALL updates
> from CentOS-6 or CentOS-7 applied along with the glibc updates.  So a
> yum update with base and updates repo enabled is the ONLY tested
> scenario.  Did I say *ONLY* enough?
>
> Thanks,
> Johnny Hughes
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
I am trying to find conclusive info on whether pre glibc version 2.9
needs to be of concern.  I have some older CentOS-5 machines running
some older software, and they currently have glibc 2.5-123 installed. 
Some technical info i have read on this vulnerability states that the
issue was introduced in version 2.9.  But other less technical articles
mention that older version "could" be vulnerable.  Would appreciate
any
comments from the community on this.

-- 
Corey A. Johnson

On 02/17/2016 07:08 AM, Michael H wrote:
> On 17/02/16 13:01, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show what
>> is available for updates, but there is a CVE (CVE-2015-7547) that
>> needs a bit more attention which will be on today's announce list
>> of updates.
>>
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it
>> is VERY important that all users update to these versions:  This
>> update is rated as Critical by Red Hat, meaning that it is remotely
>> exploitable under some circumstances.  Make sure this update works
>> in your environments and update as soon as you can.
>>
>> CentOS-7: 
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>>  https://rhn.redhat.com/errata/RHSA-2016-0176.html
>>
>> CentOS-6: 
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>>  https://rhn.redhat.com/errata/RHSA-2016-0175.html
>>
>> These mitigate CVE-2015-7547: 
>> https://access.redhat.com/security/cve/CVE-2015-7547
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>>
>> Can't stress how important this update is .. here are a couple
>> stories:
>>
>>
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>>  
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>>  Please note that the ONLY way this is tested to work is with ALL
>> updates from CentOS-6 or CentOS-7 applied along with the glibc
>> updates.  So a yum update with base and updates repo enabled is the
>> ONLY tested scenario.  Did I say *ONLY* enough?
>>
>> Thanks, Johnny Hughes
> 
> Hi Johnny,
> 
> Thank you as always, Should I be rebooting servers to ensure that all
> services are using the new glibc?
> 
> sorry for the rookie question, just need some clarification.
> 
The easy answer is yes .. glibc requires so many things to be restarted,
that is the best bet.  Or certainly the easiest.

Note: in CentOS 7, there is also a kernel update which is rated as
Important .. so you should boot to that anyway:
https://lists.centos.org/pipermail/centos-announce/2016-February/021705.html

Here is a good link to figure out what to restart if you don't want to
reboot:

https://rwmj.wordpress.com/2014/07/10/which-services-need-restarting-after-an-upgrade/

and there is this thread:
http://markmail.org/message/dodinyrhwgey35mh

But generalyl, after a glibc update or a kernel update .. rebooting is
easiest and it ensures everything is protected.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20160217/0d8fa402/attachment-0001.sig>

On 02/17/2016 07:40 AM, Corey Johnson wrote:
> 
> On 2/17/2016 8:01 AM, Johnny Hughes wrote:
>> I normally just let the daily announce post to this list show what is
>> available for updates, but there is a CVE (CVE-2015-7547) that needs a
>> bit more attention which will be on today's announce list of
updates.
>>
>> We released a new glibc yesterday for CentOS-6 and CentOS-7 .. it is
>> VERY important that all users update to these versions:  This update is
>> rated as Critical by Red Hat, meaning that it is remotely exploitable
>> under some circumstances.  Make sure this update works in your
>> environments and update as soon as you can.
>>
>> CentOS-7:
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html
>>
>> https://rhn.redhat.com/errata/RHSA-2016-0176.html
>>
>> CentOS-6:
>>
https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
>>
>> https://rhn.redhat.com/errata/RHSA-2016-0175.html
>>
>> These mitigate CVE-2015-7547:
>> https://access.redhat.com/security/cve/CVE-2015-7547
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1293532
>>
>> Can't stress how important this update is .. here are a couple
stories:
>>
>>
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>>
>> http://www.theregister.co.uk/2016/02/16/glibc_linux_dns_vulernability/
>>
>> Please note that the ONLY way this is tested to work is with ALL
updates
>> from CentOS-6 or CentOS-7 applied along with the glibc updates.  So a
>> yum update with base and updates repo enabled is the ONLY tested
>> scenario.  Did I say *ONLY* enough?
> I am trying to find conclusive info on whether pre glibc version 2.9
> needs to be of concern.  I have some older CentOS-5 machines running
> some older software, and they currently have glibc 2.5-123 installed. 
> Some technical info i have read on this vulnerability states that the
> issue was introduced in version 2.9.  But other less technical articles
> mention that older version "could" be vulnerable.  Would
appreciate any
> comments from the community on this.
Red Hat says no:
https://access.redhat.com/security/cve/CVE-2015-7547

Is it possible they are wrong .. I guess, anything is possible.

You can test with this:

https://github.com/fjserna/CVE-2015-7547







-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20160217/80eeabd9/attachment-0001.sig>