Mageia forum

French version of the message below.

A critical security issue was discovered in GNU libc: CVE-2015-7547. This security issue is critical because it potentially permit taking control of a vulnerable computer when it is simply doing a DNS request.

Most Linux distribution promptly published a package update to correct the issue. This is not the case for Mageia today. What is the reason ? When can we expect an update ?



Une faille critique dans la GNU libc a été publiée: CVE-2015-7547. Cette
faille est extremement critique car elle permet potentiellement de prendre
le controle d'une machine vulnérable lorsque celle ci effectue une simple
requette DNS.

La plupars des distributions ont mis à disposition un correctif très
rapidement. Ca n'est pas le cas de Mageia à l'heure actuelle, malgrés
l'importance du problème. Quelle en est la raison ? Peut on esperer
obtenir ce correctif rapidement ?

Please only post in english as this is an english forum, thanks.
Also crossposting is pretty much disregarded. You already discussed the same question previously today via mail to a huge number of Mageia mail distribution lists.
What do you expect asking this here in parallel?

regisb wrote:This security issue is critical because it potentially permit taking control of a vulnerable computer when it is simply doing a DNS request.

That's quite a bit oversimplified, to say the least. Basically, one would have to be able to force a client to process malicious DNS replies (presumably from malicious DNS servers)
You might want to read on some of the details and requirements, e.g. at http://arstechnica.com/security/2016/02 ... ulnerable/

regisb wrote:Most Linux distribution promptly published a package update to correct the issue. This is not the case for Mageia today. What is the reason ? When can we expect an update ?

Because Mageia is made of contributors who work on it in their free time, and for some packages the necessary maintainers might not be available 24x7,
you may imagine many also have some kind of dayjob, family and other appointments beside Mageia. Also glibc is a pretty critical package and cannot be feasibly updated by just any packager.

And furthermore, all our security and bugfix updates have to undergo extensive testing by our QA team, and in the past when other distributions quickly rushed some fixes for some overhyped vulnerabilities,
our QA team found weaknesses or regressions with the fixed packages, which other distributions blindly shipped quickly. Depends what you want, if you only want really fast and blindly rushed updates for such critical issues with no thorough testing, maybe you should consider another distribution.

Back on topic, for cauldron a fix has already been pushed, progress for Mageia 5 via https://bugs.mageia.org/show_bug.cgi?id=17394

For mageia 5 updated glibc has been packaged, tested by several members of qa team and pushed to the mirrors. It should land or your mirror, soon, if it's not already there.