No v6 in saffron til further notice

Jeremy Morse

unread,

Feb 16, 2016, 12:01:01 PM2/16/16

to srobo...@googlegroups.com

Hi,

CVE-2015-7547 was just announced, a glibc stack overflow in getaddrinfo.
It looks like everyone who might ever look closely at a v6 socket is
vulnerable, and there are no immediate patches for fedora 22. I've
disabled v6 on saffron for now, and it'll stay off until patched
packages become available.

More info:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/

--
Thanks,
Jeremy

signature.asc

Rob Spanton

unread,

Feb 16, 2016, 12:15:06 PM2/16/16

to srobo...@googlegroups.com

On Tue, 2016-02-16 at 17:00 +0000, Jeremy Morse wrote:
> CVE-2015-7547 was just announced, a glibc stack overflow in getaddrinfo.
> It looks like everyone who might ever look closely at a v6 socket is
> vulnerable, and there are no immediate patches for fedora 22. I've
> disabled v6 on saffron for now, and it'll stay off until patched
> packages become available.

Those packages should be available soon:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-0480defc94

Cheers,

Rob

signature.asc

Jeremy Morse

unread,

Feb 16, 2016, 12:23:47 PM2/16/16

to srobo...@googlegroups.com

Hi,

It turns out that disabling v6 is ineffective, according to the email I
linked to. saffron is now dropping outbound TCP on port 53 and dropping
UDP port 53 packets over 512 bytes, as recommended in that email.

--
Thanks,
Jeremy

signature.asc

Rob Spanton

unread,

Feb 17, 2016, 6:45:02 PM2/17/16

to srobo...@googlegroups.com

On Tue, 2016-02-16 at 17:14 +0000, Rob Spanton wrote:
> Those packages should be available soon:
> https://bodhi.fedoraproject.org/updates/FEDORA-2016-0480defc94

This is now available. srobo.org will go down for a few minutes now whilst I
perform the update.

Cheers,

Rob

signature.asc

Reply all

Reply to author

Forward