CVE-2015-0235

General support questions
Post Reply
johnstetter
Posts: 1
Joined: 2015/01/27 19:55:16

CVE-2015-0235

Post by johnstetter » 2015/01/27 19:59:12

Any word on when a glibc patch for CVE-2015-0235 will get pushed out to the repos?

User avatar
TrevorH
Forum Moderator
Posts: 26515
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2015-0235

Post by TrevorH » 2015/01/27 20:26:26

Not yet. It takes a while:
step 1) wait for Redhat to release the SRPM packages
step 2) rebuild them which takes about an hour for a big package like glibc
step 3) repeat for 32 and 64 bit packages
step 4) find someone who's not en-route to FOSDEM and get them to sign the packages
step 5) push to mirrors and wait for them to propagate
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: CVE-2015-0235

Post by avij » 2015/01/28 01:17:04

All the glibc updates for CentOS 5, 6 and 7 have now been released and are currently being distributed to mirrors.

leotan
Posts: 1
Joined: 2015/01/28 10:56:42

Re: CVE-2015-0235

Post by leotan » 2015/01/28 11:01:44

Can anyone tell us how to step by step do the update without messing everything about ?
Will there be a test to confirm centos is not vulnerable anymore ?

gaia
Posts: 18
Joined: 2012/09/07 21:08:36

Re: CVE-2015-0235

Post by gaia » 2015/01/28 12:06:44

still not available for my centos 6.6, even after clean all.

How long does distributing to mirrors usually take?

Also, shouldn't

Code: Select all

yum --disableplugin=fastestmirror update
bypass mirrors?
Last edited by gaia on 2015/01/28 13:50:23, edited 2 times in total.

gaia
Posts: 18
Joined: 2012/09/07 21:08:36

Re: CVE-2015-0235

Post by gaia » 2015/01/28 13:41:24

leotan wrote:Can anyone tell us how to step by step do the update without messing everything about ?
Will there be a test to confirm centos is not vulnerable anymore ?
instructions for testing the vulnerability are here:
http://www.cyberciti.biz/faq/cve-2015-0 ... hel-linux/

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: CVE-2015-0235

Post by avij » 2015/01/28 14:55:31

leotan wrote:Can anyone tell us how to step by step do the update without messing everything about ?
yum update and then reboot your system with shutdown -r now or equivalent.
gaia wrote:How long does distributing to mirrors usually take?
Anything from 15 minutes to a day or more, depending on how frequently your local mirror syncs. Generally speaking, around 75% of mirrors tend to be synced within four hours from update release time (with exceptions for major point updates, such as 6.5 -> 6.6). As of this writing, approximately 90% of the external mirrors have the new glibc update. Please note that the CentOS Project does not have any influence on how the external mirrors operate.
gaia wrote:Also, shouldn't

Code: Select all

yum --disableplugin=fastestmirror update
bypass mirrors?
No, it does not. At this stage, if yum update does not suggest an updated glibc, try yum clean all once more. Another option for why yum update might not suggest an updated glibc is that you might have the update already. Some people use the yum-cron package to download and install updates automatically.

gaia
Posts: 18
Joined: 2012/09/07 21:08:36

Re: CVE-2015-0235

Post by gaia » 2015/01/28 15:05:56

avij wrote:No, it does not. At this stage, if yum update does not suggest an updated glibc, try yum clean all once more. Another option for why yum update might not suggest an updated glibc is that you might have the update already. Some people use the yum-cron package to download and install updates automatically.
There is no update and the installed version is glibc-2.12-1.149.el6_6.4.x86_64.

PS: Since this is about CentOS 6 maybe we should keep it going here.

Thank you

Post Reply

Return to “CentOS 7 - General Support”