On Monday 25 October 2010, Peter Kjellstrom wrote: > On Monday 25 October 2010, Sherin George wrote: > > Hello Guys, > > > > Recently, I have installed some custom packaged of glibc in servers I > > manage due to vulnerabilities. At that time, official centos packages > > were not available. Now, I want to roll back to centos versions. > > Do note that this new (and probably your custom built) glibc is vulnerable > to a new trival local root
For completeness, Turns out that getting root with 3856 on CentOS-5 atleast isn't copy-n-paste-trivial. The suggested exploit using libpcprofile.so fails since that file comes from glibc-utils which (afaict) typically isn't installed. That said, it seems very likely that there are other ways to exploit 3856 on CentOS-5 so do not in any way interpret this as "lets skip the update". /Peter > (so you may want to build yet another custom > version instead of switching back): > > https://bugzilla.redhat.com/show_bug.cgi?id=cve-2010-3856
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
