Update Log

Feb 17, 2016 9:00am CDT: First version


We are aware of the announced vulnerability CVE-2015-7547. We are investigating the issue and will update this security bulletin with more detail as necessary.

Risk Assessment

Our assessment is that the severity of this vulnerability is critical and mitigation actions should be taken immediately.

Most Linux software that performs DNS lookups via glibc, including Globus software components (GridFTP, MyProxy, GSI-OpenSSH), are likely to be vulnerable. We recommend that any affected Linux host apply the glibc update immediately to prevent this vulnerability. There are no necessary updates to Globus software components.

Actions we are taking to close the attack vector

While we believe systems hosting the Globus.org services are safe because Globus uses DNS servers that reject the invalid or malicious responses necessary for exploit, glibc updates will be applied as they become available.