whatever happened with glibc bug?

J.A. Neitzel jan.listbox at belvento.org
Tue Nov 28 19:11:58 PST 2000


Thanks, Jeremy, for the info; tis much appreciated! :o)
linux-security at securityportal.com looks like a great resource.

On Monday 27 November 2000 14:36, "J. Jones"@darkside.dynup.net, 
jdj at darkside.dynup.net wrote:
> There were two patches that I was aware of, never officially released
> though.  Most distro's made patches off the cvs version that the
> updates were applied to.  Best place to get them =
> ftp://ftp.freesoftware.com/pub/slackware/slackware-7.1/source/d/glibc/
>
> These patches fixed one locale hole, but a _local_ user can still
> exploit it, and su is still exploitable after these patches.
>
> AFAIK, glibc 2.2 corrects at _least_ these holes.  I found it quite
> disturbing that simply changing the language, and setting a few tricky
> environment variables, my box could be rooted.  These particular bugs
> in glibc 2.1.3 were responsible for a _large_ amount of exploits in
> other packages (syslogd for one).
>
> If you are looking for a good linux security mailing list, you _must_
> try securityportal.com's linux-security mailing list.  I have not found
> one faster or more thourough.
>
> mail to linux-security at listserv.securityportal.com subject subscribe
>
> Jeremy
>
====== jan.listbox at belvento.org wrote:
> Hi,
>
> Remember the glibc bug(s) announced beginning of September? I was just
> curious whether or not there were any patches to be applied... Maybe it
> was on the list? If so, I missed it.

[SNIPPED]

> Any thoughts out there..?
-- 
Ta,
Jeff





More information about the lfs-security mailing list