Hi, This is just a reminder that GNU/kFreeBSD, since it is based on the GNU libc, is affected by the recently announced CVE-2015-7547 vulnerability. https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html It is particularly serious for us since, whereas Linux supports ASLR as a mitigation for software compiled with -fPIE; the FreeBSD kernel versions in Debian don't have that feature at all yet. https://wiki.debian.org/Debian_GNU/kFreeBSD/Security#ASLR It is most serious if /etc/resolv.conf nameserver entries point to external resolvers -- either untrusted, or reached over an untrusted network. For example, a laptop on public Wi-Fi, getting nameserver entries via DHCP is at very high risk. Servers that run their own DNS resolver on localhost, or connect to a resolver on your local network, may be somewhat safer. But you should still patch this. Note that services may still use the old, unpatched libc until they have been restarted. It may be an idea to reboot the machine, though it is not essential. This affects all releases: * jessie-kfreebsd (the upcoming stable release) Although not official released yet, this suite does receive security updates already. Make sure you have this entry in your /etc/apt/sources.list : deb http://security.debian.org/ jessie-kfreebsd/updates main and update libc0.1 to version 2.19-18+deb8u3 or later. * wheezy (the old stable release) Make sure you have this entry in your /etc/apt/sources.list deb http://security.debian.org/ wheezy/updates main and update libc0.1 to version 2.13-38+deb7u10 or later. wheezy will be end-of-life after 2016-04, so consider transitioning to jessie-kfreebsd already. * squeeze kfreebsd was not part of the squeeze LTS, so this hasn't received updates in a long time. If you're still running this, you are recommended to upgrade to a newer release. But if you insist, you may try to build a patched eglibc from the squeeze-lts source package version 2.11.3-4+deb6u11: http://httpredir.debian.org/debian/pool/main/e/eglibc/eglibc_2.11.3-4+deb6u11.dsc * stretch/sid There is no stretch/testing suite for kfreebsd currently, there is actually only sid/unstable. CVE-2015-7547 is fixed in sid with libc0.1 version 2.21-9 or later, which will be available soon. Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature