CVE-2015-7547 - Major GNU libc security issue

This forum is for general chat between members about Mageia.

Technical questions are supposed to be posted in support forums. Not here !

CVE-2015-7547 - Major GNU libc security issue

Postby regisb » Feb 18th, '16, 17:31

French version of the message below.

A critical security issue was discovered in GNU libc: CVE-2015-7547. This security issue is critical because it potentially permit taking control of a vulnerable computer when it is simply doing a DNS request.

Most Linux distribution promptly published a package update to correct the issue. This is not the case for Mageia today. What is the reason ? When can we expect an update ?



Une faille critique dans la GNU libc a été publiée: CVE-2015-7547. Cette
faille est extremement critique car elle permet potentiellement de prendre
le controle d'une machine vulnérable lorsque celle ci effectue une simple
requette DNS.

La plupars des distributions ont mis à disposition un correctif très
rapidement. Ca n'est pas le cas de Mageia à l'heure actuelle, malgrés
l'importance du problème. Quelle en est la raison ? Peut on esperer
obtenir ce correctif rapidement ?
Last edited by doktor5000 on Feb 18th, '16, 22:55, edited 1 time in total.
Reason: adjusted thread title
regisb
 
Posts: 1
Joined: Feb 18th, '16, 17:27

Re: Major GNU libc security issue

Postby doktor5000 » Feb 18th, '16, 22:30

Please only post in english as this is an english forum, thanks.
Also crossposting is pretty much disregarded. You already discussed the same question previously today via mail to a huge number of Mageia mail distribution lists.
What do you expect asking this here in parallel?

regisb wrote:This security issue is critical because it potentially permit taking control of a vulnerable computer when it is simply doing a DNS request.

That's quite a bit oversimplified, to say the least. Basically, one would have to be able to force a client to process malicious DNS replies (presumably from malicious DNS servers)
You might want to read on some of the details and requirements, e.g. at http://arstechnica.com/security/2016/02 ... ulnerable/

regisb wrote:Most Linux distribution promptly published a package update to correct the issue. This is not the case for Mageia today. What is the reason ? When can we expect an update ?

Because Mageia is made of contributors who work on it in their free time, and for some packages the necessary maintainers might not be available 24x7,
you may imagine many also have some kind of dayjob, family and other appointments beside Mageia. Also glibc is a pretty critical package and cannot be feasibly updated by just any packager.

And furthermore, all our security and bugfix updates have to undergo extensive testing by our QA team, and in the past when other distributions quickly rushed some fixes for some overhyped vulnerabilities,
our QA team found weaknesses or regressions with the fixed packages, which other distributions blindly shipped quickly. Depends what you want, if you only want really fast and blindly rushed updates for such critical issues with no thorough testing, maybe you should consider another distribution.

Back on topic, for cauldron a fix has already been pushed, progress for Mageia 5 via https://bugs.mageia.org/show_bug.cgi?id=17394
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: CVE-2015-7547 - Major GNU libc security issue

Postby marja » Feb 19th, '16, 11:32

For mageia 5 updated glibc has been packaged, tested by several members of qa team and pushed to the mirrors. It should land or your mirror, soon, if it's not already there.
User avatar
marja
 
Posts: 541
Joined: Aug 22nd, '11, 20:50


Return to General discussions about Mageia

Who is online

Users browsing this forum: No registered users and 1 guest

cron