[Spce-user] Vulnerability Report CVE-2015-7547

Alex Lutay alutay at sipwise.com
Thu Feb 18 06:53:10 EST 2016 

Hi all,

As reported by Google on their security blog recently,
a major security whole in glibc was discovered.

Affected systems: All NGCP versions

Please ensure you have appropriate Debian security repository enabled:
 - jessie based mr4.2.1+
> deb https://debian.sipwise.com/debian-security/ jessie-security main contrib non-free
 - wheezy based 3.0, 3.1, mr3.2.* - mr4.1.* (including mr3.8.* LTS)
> deb http://debian.sipwise.com/debian-security/ wheezy-security main contrib non-free
 - squeeze based 2.8 LTS
> deb http://debian.sipwise.com/debian/ squeeze-lts main

(you can use other non-Sipwise mirrors if you trust them,
while please verify you have latest/fixed packages versions there).

Ensure all the packages from glibc/eglibc sources are installed to the
fixed version. See the list of fixed versions here:
https://security-tracker.debian.org/tracker/CVE-2015-7547

All the Sipwise software are dynamically linked against glibc,
so all the services restart are necessary.

At the same time Sipwise doesn't have the information about the
statically linked software which can be installed on your servers,
so it is highly recommended to update all packages to the latest
available version:

>   apt-get update && apt-get upgrade && \
>   ngcp-update-db-schema && ngcp-update-cfg-schema && \
>   ngcpcfg apply "applying changes for CVE-2015-7547"

NOTE: please do not forget to update customtt if you have them before
applying new changes!

Additional Information:
> https://security-tracker.debian.org/tracker/CVE-2015-7547
> https://googleonlinesecurity.blogspot.co.at/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
> https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

-- 
Alex Lutay
Head of Quality Assurance
Sipwise GmbH, Campus 21/Europaring F15
AT-2345 Brunn am Gebirge

Office: +43(0)13012036
Email: alutay at sipwise.com
Website: https://www.sipwise.com

Meet us @ ANGACOM: Hall 10.1 / booth N10
Exhibition and Congress for Broadband,
Cable & Satellite: 07 – 09 June, 2016 in Cologne

More information about the Spce-user mailing list