Ghost Vulnerability CVE-2015-0235

Incident Report for Engine Yard

Resolved

Our final patch for the Ghost Vulnerability CVE-2015-0235 has been released and announced for our stable-v2 (2009a) stack. Please see our Security Known Issue article for updated information and instructions on how to apply the patch: https://support.cloud.engineyard.com/entries/105852596-GHOST-CVE-2015-0235-vulnerability

Posted Feb 10, 2015 - 21:50 UTC

Identified

Customers using our stable-v4 platform can update their environments. An update for stable-v2 is expected out shortly. Please view our Security Known Issues article for instructions and important details pertaining to the upgrade: https://support.cloud.engineyard.com/entries/105852596-GHOST-CVE-2015-0235-vulnerability.

Posted Feb 04, 2015 - 16:51 UTC

Update

We are still working on a tested patch to mitigate this vulnerability. We will continue to update our knowledge base article as work progresses.

Posted Jan 28, 2015 - 02:37 UTC

Investigating

We are aware of a new vulnerability regarding glibc’s gethostbyname function (CVE-2015-0235).Many involved functions and local services are affected. We are researching and testing these reports to determine the severity and scope of impact within Engine Yard’s infrastructure and hosted services.

Our updated security post can be found at https://support.cloud.engineyard.com/entries/105852596-GHOST-CVE-2015-0235-vulnerability

Posted Jan 27, 2015 - 22:35 UTC