glibc: CVE-2015-7547

[tianon]

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

---

• alpine: no glibc package available
• busybox: Rebuild busybox to account for CVE-2015-7547 #1451
• centos (RHEL derivative): update as of 20160217 - fixes glibc cve #1455
  • https://access.redhat.com/security/cve/CVE-2015-7547
• crux:
  • https://crux.nu/gitweb/?p=ports/core.git;a=history;f=glibc;hb=HEAD
• debian: Update debian (especially for CVE-2015-7547) #1450
  • https://security-tracker.debian.org/tracker/CVE-2015-7547
• fedora: update fedora 23 and rawhide for glibc: CVE-2015-7547 #1456, update fedora 22 and 23 for glibc: CVE-2015-7547 #1461
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547
• mageia: Update Mageia 5 (especially for CVE-2015-7547) #1468
  • https://advisories.mageia.org/MGASA-2016-0079.html (https://lwn.net/Articles/676456/)
  • https://bugs.mageia.org/show_bug.cgi?id=17394
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2015-7547
• opensuse: Update openSUSE 42.1 and tumbleweed #1460, update openSUSE 13.2 image #1465
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-7547
• oraclelinux: Updated Oracle Linux 7.2 and 6.7 images to resolve CVE-2015-7547. #1453
  • http://linux.oracle.com/cve/CVE-2015-7547.html
• photon:
  • vmware/photon@fdf30fa
  • https://github.com/vmware/photon/tree/master/SPECS/glibc
• sourcemage:
  • http://scmweb.sourcemage.org/?p=smgl/grimoire.git;a=history;f=libs/glibc
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2015-7547
• ubuntu: Update ubuntu (especially for CVE-2015-7547) #1454
  • http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html
    • http://people.canonical.com/~ubuntu-security/cve/priority.html (for reference)
  • http://www.ubuntu.com/usn/usn-2900-1/

[tianon]

RHEL 6 and RHEL 7 have fixes (cc @jperrin)

Fedora has an update submitted (cc @maxamillion)

openSUSE update is in-progress (cc @flavio)

[tianon]

Debian tarballs are in-progress (almost complete -- just waiting on the sid/unstable packages to propagate)

Ubuntu doesn't have updated packages yet

[jperrin]

our packages are syncing to the mirrors now. I'll have an updated build shortly.

[Djelibeybi]

OL6 and OL7 have fixes and a new build has been requested from our build team.

[ThiefMaster]

will all the official docker-library images be rebuilt automatically?

[tianon]

@ThiefMaster yes, they're in-progress right now

@jperrin @Djelibeybi thanks for the updates! 👍

[diogomonica]

@tianon this has the patched packages http://www.ubuntu.com/usn/usn-2900-1/

[tianon]

@diogomonica nice -- wonder why they didn't update http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html yet

I'll give our Canonical contacts a poke and see what the ETA for updated tarballs is.

(At their request, we consume their tarballs from https://partner-images.canonical.com/core/, built by Canonical on their official infra, so as soon as those are updated I can update the image.)

[diogomonica]

@tianon yeah, I didn't understand that either. I was checking the CVE page too.

[tianon]

Heard back and Ubuntu rebuilds are in progress downstream! 👍

[diogomonica]

Great!