Cheat Sheet For Patching Glibc Critical Vulnerability For Linux Systems

Last week, a Google engineer discovered a bug and critical vulnerability in the GNU C library (glibc) used by most Linux desktop and server distributions to support a variety of system calls. A number of distributions have already released patches for the vulnerability. If you have yet to patch and reboot your Linux systems, Pen Test Partners has made the following cheat sheet to make the process easier.

glibc is the core C librabry in Linux systems and it has been found that a function called getaddrinfo used to resolve domain names to IP addresses has a security flaw. The vulnerability relates to the ability for attackers to overflow a stack-based buffer that is set off by longer than usual DNS responses. This leaves the door open for remote code execution.

No doubt a lot of organisations have already patch their Linux systems or are in the process of doing so. If you have not already done so, here's a cheat sheet from Pen Test Partners that will assist you in patching this vulnerability for the most common Linux distributions:

Distribution Package Patched Version Advisory
Red Hat glibc Too many variations to list - see advisory and corresponding errata document https://access.redhat.com/security/cve/cve-2015-7547
Ubuntu 12.04 LTS libc6 2.15-0ubuntu10.13 http://www.ubuntu.com/usn/usn-2900-1/
Ubuntu 14.04 LTS libc6 2.19-0ubuntu6.7 http://www.ubuntu.com/usn/usn-2900-1/
Ubuntu 15.10 libc6 2.21-0ubuntu4.1 http://www.ubuntu.com/usn/usn-2900-1/
Debian 6 (squeeze) eglibc 2.11.3-4+deb6u11 https://security-tracker.debian.org/tracker/CVE-2015-7547
Debian 7 (wheezy) eglibc 2.13-38+deb7u10 https://security-tracker.debian.org/tracker/CVE-2015-7547
Debian 8 (jessie) glibc 2.19-18+deb8u3 https://security-tracker.debian.org/tracker/CVE-2015-7547
Debian 8 (jessie) glibc 2.19-18+deb8u3 https://security-tracker.debian.org/tracker/CVE-2015-7547
SuSE (SLES 11 or later) glibc Too many variations to list - see advisory https://www.suse.com/security/cve/CVE-2015-7547.html
Gentoo sys-libs/glibc 2.21-r2 https://security.gentoo.org/glsa/201602-02

Pen Test Partners did have some words of warning:

"Any distribution maintained package should be OK with this kind of upgrade (that's what a package management system exists for) but any custom developed software might need more careful consideration."

[Via Pen Test Partners]


Comments

Be the first to comment on this story!

Trending Stories Right Now