FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-25-2010, 03:27 AM
Sherin George
 
Default install older version of glibc package

Hello Guys,

Recently, I have installed some custom packaged of glibc in servers I
manage due to vulnerabilities. At that time, official centos packages
were not available. Now, I want to roll back to centos versions.


=====================================
-bash-3.2# yum info glibc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: yum.singlehop.com
* base: yum.singlehop.com
* extras: mirrors.netdna.com
* rpmforge: apt.sw.be
* updates: yum.singlehop.com
Installed Packages
Name : glibc
Arch : i386
Version : 2.5
Release : 49.1
Size : 22 M
Repo : installed
Summary : The GNU libc libraries.
License : LGPL
Description: The glibc package contains standard libraries which are used by
: multiple programs on the system. In order to save disk space and
: memory, as well as to make upgrading easier, common system code is
: kept in one place and shared between programs. This
particular package
: contains the most important sets of shared libraries: the
standard C
: library and the standard math library. Without these two
libraries, a
: Linux system will not function.

Name : glibc
Arch : x86_64
Version : 2.5
Release : 49.1
Size : 26 M
Repo : installed
Summary : The GNU libc libraries.
License : LGPL
Description: The glibc package contains standard libraries which are used by
: multiple programs on the system. In order to save disk space and
: memory, as well as to make upgrading easier, common system code is
: kept in one place and shared between programs. This
particular package
: contains the most important sets of shared libraries: the
standard C
: library and the standard math library. Without these two
libraries, a
: Linux system will not function.

Available Packages
Name : glibc
Arch : i686
Version : 2.5
Release : 49.el5_5.6
Size : 5.3 M
Repo : updates
Summary : The GNU libc libraries.
License : LGPL
Description: The glibc package contains standard libraries which are used by
: multiple programs on the system. In order to save disk space and
: memory, as well as to make upgrading easier, common system code is
: kept in one place and shared between programs. This
particular package
: contains the most important sets of shared libraries: the
standard C
: library and the standard math library. Without these two
libraries, a
: Linux system will not function.
=====================================


I tried a lot of options. "yum downgrade" is attempting to remove lot
of packages which I can't afford. Yum install is hitting dependency
errors.

Is there a way out ? Thanks in advance for any help/advice any one could offer.

--
Regards,
Sherin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-25-2010, 07:52 AM
Sherin George
 
Default install older version of glibc package

well... I found a solution myself

here is the solution I found, if anyone else is also there in my situation.

Download the centos rpms and install them as given below.

===========================================
rpm -Uvh glibc-2.5-49.el5_5.6.i386.rpm glibc-2.5-49.el5_5.6.x86_64.rpm
glibc-common-2.5-49.el5_5.6.x86_64.rpm --replacefiles --oldpackage
===========================================

--
Thanks,
Sherin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-25-2010, 08:57 AM
Peter Kjellstrom
 
Default install older version of glibc package

On Monday 25 October 2010, Sherin George wrote:
> Hello Guys,
>
> Recently, I have installed some custom packaged of glibc in servers I
> manage due to vulnerabilities. At that time, official centos packages
> were not available. Now, I want to roll back to centos versions.

Do note that this new (and probably your custom built) glibc is vulnerable to
a new trival local root (so you may want to build yet another custom version
instead of switching back):

https://bugzilla.redhat.com/show_bug.cgi?id=cve-2010-3856

/Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-25-2010, 09:48 AM
Sherin George
 
Default install older version of glibc package

Thanks you so much Peter.

I thought it is fixed in latest centos rpm.

I got "custom packaged of glibc" from a third party(which I know as
reliable) site.

Do you have any information about availability of a patched replacement at
this time?

--
Regards,
Sherin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-25-2010, 09:56 AM
Peter Kjellstrom
 
Default install older version of glibc package

On Monday 25 October 2010, Sherin George wrote:
> Thanks you so much Peter.
>
> I thought it is fixed in latest centos rpm.

CVE-2010-3847 is fixed in 2.5-49.el5_5.6
CVE-2010-3856 has no released fix (afaik):
http://seclists.org/fulldisclosure/2010/Oct/344

> I got "custom packaged of glibc" from a third party(which I know as
> reliable) site.
>
> Do you have any information about availability of a patched replacement at
> this time?

Nope

/Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-26-2010, 04:12 AM
Sherin George
 
Default install older version of glibc package

RHEL has released patched RPMS.

http://rhn.redhat.com/errata/RHSA-2010-0793.html

Patiently waiting for centos RPMs
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-26-2010, 09:34 AM
Peter Kjellstrom
 
Default install older version of glibc package

On Monday 25 October 2010, Peter Kjellstrom wrote:
> On Monday 25 October 2010, Sherin George wrote:
> > Hello Guys,
> >
> > Recently, I have installed some custom packaged of glibc in servers I
> > manage due to vulnerabilities. At that time, official centos packages
> > were not available. Now, I want to roll back to centos versions.
>
> Do note that this new (and probably your custom built) glibc is vulnerable
> to a new trival local root

For completeness,

Turns out that getting root with 3856 on CentOS-5 atleast isn't
copy-n-paste-trivial. The suggested exploit using libpcprofile.so fails since
that file comes from glibc-utils which (afaict) typically isn't installed.

That said, it seems very likely that there are other ways to exploit 3856 on
CentOS-5 so do not in any way interpret this as "lets skip the update".

/Peter

> (so you may want to build yet another custom
> version instead of switching back):
>
> https://bugzilla.redhat.com/show_bug.cgi?id=cve-2010-3856
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org