Last week, a Google engineer discovered a bug and critical vulnerability in the GNU C library (glibc) used by most Linux desktop and server distributions to support a variety of system calls. A number of distributions have already released patches for the vulnerability. If you have yet to patch and reboot your Linux systems, Pen Test Partners has made the following cheat sheet to make the process easier.
glibc is the core C librabry in Linux systems and it has been found that a function called getaddrinfo used to resolve domain names to IP addresses has a security flaw. The vulnerability relates to the ability for attackers to overflow a stack-based buffer that is set off by longer than usual DNS responses. This leaves the door open for remote code execution.
No doubt a lot of organisations have already patch their Linux systems or are in the process of doing so. If you have not already done so, here’s a cheat sheet from Pen Test Partners that will assist you in patching this vulnerability for the most common Linux distributions:
Distribution | Package | Patched Version | Advisory |
---|---|---|---|
Red Hat | glibc | Too many variations to list – see advisory and corresponding errata document | https://access.redhat.com/security/cve/cve-2015-7547 |
Ubuntu 12.04 LTS | libc6 | 2.15-0ubuntu10.13 | http://www.ubuntu.com/usn/usn-2900-1/ |
Ubuntu 14.04 LTS | libc6 | 2.19-0ubuntu6.7 | http://www.ubuntu.com/usn/usn-2900-1/ |
Ubuntu 15.10 | libc6 | 2.21-0ubuntu4.1 | http://www.ubuntu.com/usn/usn-2900-1/ |
Debian 6 (squeeze) | eglibc | 2.11.3-4+deb6u11 | https://security-tracker.debian.org/tracker/CVE-2015-7547 |
Debian 7 (wheezy) | eglibc | 2.13-38+deb7u10 | https://security-tracker.debian.org/tracker/CVE-2015-7547 |
Debian 8 (jessie) | glibc | 2.19-18+deb8u3 | https://security-tracker.debian.org/tracker/CVE-2015-7547 |
Debian 8 (jessie) | glibc | 2.19-18+deb8u3 | https://security-tracker.debian.org/tracker/CVE-2015-7547 |
SuSE (SLES 11 or later) | glibc | Too many variations to list – see advisory | https://www.suse.com/security/cve/CVE-2015-7547.html |
Gentoo | sys-libs/glibc | 2.21-r2 | https://security.gentoo.org/glsa/201602-02 |
Pen Test Partners did have some words of warning:
“Any distribution maintained package should be OK with this kind of upgrade (that’s what a package management system exists for) but any custom developed software might need more careful consideration.”
[Via Pen Test Partners]
Comments