Hi all, short question - is the glibc version (2.21?) coming with ELDK 5.8 affected by the recently published glibc getaddrinfo() bug CVE-2015-7547 [1]? If so, will you provide a patched version of '5.8 (like 5.8.1), or do we have to re-compile glibc with a fix [2] ourselves?
IMO, this bug is a really critical one, much worse than CVE-2015-0235 aka 'GHOST' which strikes the obsolescent (though still used by some older applications) gethostbyname() function only. I still use ELDK 5.4 on two PowerPC platforms (MPC5200; P2020) which *is* vulnerable on both according to the proof-of-concept [3]. This in turn means that *any* system built with ELDK 5.4 (and earlier and later versions?) is also vulnerable if any application running on it uses getaddrinfo() - which is /very/ likely. As ELDK 5.8 now comes with gcc 4.9.1 which should have the issue described in [4] fixed, this would be the perfect time to move to the new ELDK, if CVE-2015-7547 is fixed. Any insight would be highly appreciated! Thanks in advance, Albrecht. [1] <https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html> [2] <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html> [3] <https://github.com/fjserna/CVE-2015-7547> [4] <http://lists.denx.de/pipermail/eldk/2014-October/002548.html>
pgp2owLXaMAag.pgp
Description: PGP signature
_______________________________________________ eldk mailing list [email protected] http://lists.denx.de/mailman/listinfo/eldk
