• @Laser@feddit.de
    link
    fedilink
    181 year ago

    An interesting fact about the affected versions: It was introduced in 2.34, so there was a comment on hackernews that Red Hat 8 isn’t affected because it ships with an earlier version. However, from Red Hat’s customer Portal:

    Statement

    This vulnerability was introduced in glibc 2.34 in commit 2ed18c. The commit that introduced the vulnerability was backported to RHEL-8.6 and is affected.

    So just checking version numbers for vulnerabilities isn’t really enough. I had a similar discussion at work lately where a CVE fix was listed in a stable kernel’s changelog even though going by the vulnerable versions listed in the CVE itself, that kernel wasn’t affected.