CVE-2015-7547 in GNU libc -- patch now!

To: debian-bsd@lists.debian.org
Subject: CVE-2015-7547 in GNU libc -- patch now!
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Wed, 17 Feb 2016 19:23:16 +0000
Message-id: <[🔎] 20160217192316.GE89007@pyro.eu.org>

Hi,

This is just a reminder that GNU/kFreeBSD, since it is based on the GNU
libc, is affected by the recently announced CVE-2015-7547 vulnerability.
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

It is particularly serious for us since, whereas Linux supports ASLR as
a mitigation for software compiled with -fPIE;  the FreeBSD kernel
versions in Debian don't have that feature at all yet.
https://wiki.debian.org/Debian_GNU/kFreeBSD/Security#ASLR

It is most serious if /etc/resolv.conf nameserver entries point to
external resolvers -- either untrusted, or reached over an untrusted
network.  For example, a laptop on public Wi-Fi, getting nameserver
entries via DHCP is at very high risk.

Servers that run their own DNS resolver on localhost, or connect to a
resolver on your local network, may be somewhat safer.  But you should
still patch this.

Note that services may still use the old, unpatched libc until they have
been restarted.  It may be an idea to reboot the machine, though it is
not essential.

This affects all releases:

  * jessie-kfreebsd (the upcoming stable release)

Although not official released yet, this suite does receive security
updates already.

Make sure you have this entry in your /etc/apt/sources.list :
    deb http://security.debian.org/ jessie-kfreebsd/updates main
and update libc0.1 to version 2.19-18+deb8u3 or later.

  * wheezy (the old stable release)

Make sure you have this entry in your /etc/apt/sources.list
    deb http://security.debian.org/ wheezy/updates main
and update libc0.1 to version 2.13-38+deb7u10 or later.

wheezy will be end-of-life after 2016-04, so consider transitioning to
jessie-kfreebsd already.

  * squeeze

kfreebsd was not part of the squeeze LTS, so this hasn't received
updates in a long time.  If you're still running this, you are
recommended to upgrade to a newer release.  But if you insist, you may
try to build a patched eglibc from the squeeze-lts source package
version 2.11.3-4+deb6u11:
http://httpredir.debian.org/debian/pool/main/e/eglibc/eglibc_2.11.3-4+deb6u11.dsc

  * stretch/sid

There is no stretch/testing suite for kfreebsd currently, there is
actually only sid/unstable.

CVE-2015-7547 is fixed in sid with libc0.1 version 2.21-9 or later,
which will be available soon.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: jessie-kfreebsd builds of glibc_2.19-18+deb8u3?
Next by Date: Re: jessie-kfreebsd builds of glibc_2.19-18+deb8u3?
Previous by thread: Re: jessie-kfreebsd builds of glibc_2.19-18+deb8u3?
Next by thread: Synchronise packages from main port
Index(es):
- Date
- Thread