Re: glibc bug - time to patch
On Wednesday 28 January 2015 13:25:20 i...@thargoid.co.uk wrote: On 2015-01-28 12:27, Peter Viskup wrote: before considering downtimes and patching activities on production servers read these: https://www.debian.org/security/2015/dsa-3142 http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 So Wheezy users who use Exim are at risk? But it surely then follows that Wheezy users who do not use Exim, or even have it installed, are not at risk? Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501281427.18269.lisi.re...@gmail.com
Re: glibc bug - time to patch
On 2015-01-28 12:27, Peter Viskup wrote: before considering downtimes and patching activities on production servers read these: https://www.debian.org/security/2015/dsa-3142 http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/d30f1297df8658316e790339af625...@thargoid.co.uk
Re: glibc bug - time to patch
On Wednesday 28 January 2015 14:27:18 Lisi Reisz wrote: On Wednesday 28 January 2015 13:25:20 i...@thargoid.co.uk wrote: On 2015-01-28 12:27, Peter Viskup wrote: before considering downtimes and patching activities on production servers read these: http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 So Wheezy users who use Exim are at risk? But it surely then follows that Wheezy users who do not use Exim, or even have it installed, are not at risk? https://www.debian.org/security/2015/dsa-3142 But I see anyway that it has been patched for Wheezy. So all is OK. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501281429.42835.lisi.re...@gmail.com
Re: glibc bug - time to patch
Lisi Reisz: On Wednesday 28 January 2015 13:25:20 i...@thargoid.co.uk wrote: https://www.debian.org/security/2015/dsa-3142 http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 So Wheezy users who use Exim are at risk? Yes. But it surely then follows that Wheezy users who do not use Exim, or even have it installed, are not at risk? No. The bug is in the most basic C library. I would assume that all systems with a vulnerable libc are at risk and update as soon as possible. J. -- If all my friends had Playstations I would buy a Nintendo to prove my individuality. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
glibc bug - time to patch
Hey all, For those that do not know about this yet, seems that glibc has a nasty bug in it that should probably be patched. Wheezy and squeeze vulnerable, but all you bleeding edge folk should be ok as Jessie and sid seems fine https://security-tracker.debian.org/tracker/CVE-2015-0235 Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/28f1fa682337d21078d8c83d9c9e0...@thargoid.co.uk
Re: glibc bug - time to patch
before considering downtimes and patching activities on production servers read these: https://www.debian.org/security/2015/dsa-3142 http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. On Wed, Jan 28, 2015 at 1:20 PM, i...@thargoid.co.uk wrote: Hey all, For those that do not know about this yet, seems that glibc has a nasty bug in it that should probably be patched. Wheezy and squeeze vulnerable, but all you bleeding edge folk should be ok as Jessie and sid seems fine https://security-tracker.debian.org/tracker/CVE-2015-0235 Cheers Iain -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/28f1fa682337d21078d8c83d9c9e03 a...@thargoid.co.uk
Re: glibc bug - time to patch
On Wednesday 28 January 2015 14:31:23 Jochen Spieker wrote: Lisi Reisz: On Wednesday 28 January 2015 13:25:20 i...@thargoid.co.uk wrote: https://www.debian.org/security/2015/dsa-3142 http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 So Wheezy users who use Exim are at risk? Yes. But it surely then follows that Wheezy users who do not use Exim, or even have it installed, are not at risk? No. The bug is in the most basic C library. I would assume that all systems with a vulnerable libc are at risk and update as soon as possible. Thanks, yes. At first reading I thought it said that there was no update available for Squeeze and Wheezy, only for Jessie and Sid. I posted again when I realised my mistake. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501281546.51084.lisi.re...@gmail.com
Re: glibc bug - time to patch
On Wednesday 28 January 2015 09:29:42 Lisi Reisz did opine And Gene did reply: On Wednesday 28 January 2015 14:27:18 Lisi Reisz wrote: On Wednesday 28 January 2015 13:25:20 i...@thargoid.co.uk wrote: On 2015-01-28 12:27, Peter Viskup wrote: before considering downtimes and patching activities on production servers read these: http://seclists.org/oss-sec/2015/q1/283 especially the second link mention network-facing software which is not vulnerable due to proper sanitization out of glibc. Indeed, however you will notice that the list on the second link does not contain exim, the default SMTP server software for debian. This was used for proof-of-concept code. http://seclists.org/oss-sec/2015/q1/274 So Wheezy users who use Exim are at risk? But it surely then follows that Wheezy users who do not use Exim, or even have it installed, are not at risk? https://www.debian.org/security/2015/dsa-3142 But I see anyway that it has been patched for Wheezy. So all is OK. Lisi Also Lucid, I installed it all about 2 hours ago. But haven't rebooted probably should. And I pointed out the speed with which it was patched to a died in the wool winderz using friend of mine. Never miss a chance I say. ;-) Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201501281048.03001.ghesk...@wdtv.com