On Sun, Apr 17, 2011 at 7:52 AM, Leonard den Ottolander
<leon...@den.ottolander.nl> wrote:
> Hi Akemi,
> On Sat, 2011-04-16 at 18:18 -0700, Akemi Yagi wrote:
>> See also:
>> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=37
> Please don't take this the wrong way, but not everybody reads the
> forums. Perhaps it is possible to give a heads up about such breakage
> via the CentOS general or announce mailing list before such a broken
> package is released into the wild? That would actually make it an
> advantage to swim down stream :-) .

Perhaps, I could have sent a similar warning to this mailing list (but
not the announcement list which is restricted to core admins). My main
focus was Forum users for which I work as a moderator.

> I would like to advice everyone to avoid this update by adding
> exclude=glibc*2.5-58.el5_6.2 nscd*2.5-58.el5_6.2
> to their updates channel config - added it to base just to be sure -
> until upstream releases a fix.

It should be noted that those who are not affected by the bug are
advised to update glibc because it has 4 security fixes (some local,
some remote prev escalation issues). For those who cannot update,
there is a "better than nothing" solution. As detailed in the bugzilla
entry, the patch causing the crash has been identified.  So, a
compromised solution is to build glibc without the bad patch. This way
you get at least the other 3 security fixes (better than none). Such a
version provided by Scientific Linux (for testing)  seems to be
working well from what I have seen.

I and others discussed this issue with Karanbir on the centos-devel
IRC. We'll see if CentOS decide to offer the customized version of
glibc (presumably in the testing repo).

CentOS mailing list

Reply via email to