GLIBC Vulnerability

sman

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

Looks like everyone should check and update glibc as necessary.

sman

yum update shows that CE6 glibc updates are out on some mirrors but not all yet.

sman

To check on CE6

rpm -qa | grep glibc

Vulnerable

glibc-2.12-1.149.el6_6.4.i686
glibc-common-2.12-1.149.el6_6.4.i686
etc.

Not vulnerable

glibc-2.12-1.149.el6_6.5.i686
glibc-common-2.12-1.149.el6_6.5.i686
etc.

GoodHosting

There are more updates than just GLIBC , there have been many vulnerabilities lately.

http://www.openwall.com/lists/oss-security/2015/01/27/9

---

              Type: Hardlink Arbitrary File Access
          Location: Local
            Impact: High
           Product: Usermin
           Website: http://www.webmin.com/usermin.html
Vulnerable Version: 1.630
     Fixed Version: 1.640
               CVE: CVE-2015-1377
              R911: 0171
              Date: 2015-01-27
                By: RACK911

---

              Type: Hardlink Arbitrary File Access
          Location: Local
            Impact: High
           Product: Webmin
           Website: http://www.webmin.com/
Vulnerable Version: 1.720
     Fixed Version: 1.730
               CVE: CVE-2015-1377
              R911: 0172
              Date: 2015-01-27
                By: RACK911

---

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc

---

http://cloudlinux.com/blog/clnews/612.php

Relies on GLIBC exploit.

---

https://rhn.redhat.com/errata/RHSA-2015-0092.html

linuxthefish

Updated!

sman

That usermin/webmin stuff is not OS related.

jar

The nature of this particular vulnerability really caught me off guard. An exim HELO check of all things appears to be one potential entry point. Luckily it seems that everyone jumped on this pretty quickly.

linuxthefish

glibc-common-2.12-1.149.el6_6.4.x86_64
glibc-static-2.12-1.149.el6_6.4.x86_64
glibc-devel-2.12-1.149.el6_6.4.x86_64
glibc-headers-2.12-1.149.el6_6.4.x86_64
glibc-2.12-1.149.el6_6.4.i686
vzdummy-glibc-2.12-1.7.el6.noarch
glibc-2.12-1.149.el6_6.4.x86_64

One of my boxes won't update, stupid EPEL...

Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 22 - "The requested URL returned error: 503 Service Temporarily Unavailable"

onepound

@linuxthefish said:

glibc-common-2.12-1.149.el6_6.4.x86_64
glibc-static-2.12-1.149.el6_6.4.x86_64
glibc-devel-2.12-1.149.el6_6.4.x86_64
glibc-headers-2.12-1.149.el6_6.4.x86_64
glibc-2.12-1.149.el6_6.4.i686
vzdummy-glibc-2.12-1.7.el6.noarch
glibc-2.12-1.149.el6_6.4.x86_64

One of my boxes won't update, stupid EPEL...

Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64 error was
14: PYCURL ERROR 22 - "The requested URL returned error: 503 Service Temporarily Unavailable"

Seen issues like this related to the recent nss-softokn yum problem.
https://www.centos.org/forums/viewtopic.php?f=14&t=50588

Try this (Cent 6 x64)

yumdownloader nss-softokn-freebl
wget http://www.mirrorservice.org/sites/mirror.centos.org/6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv 
cp ./lib64/libfreeblpriv3.* /lib64 
yum update

mustafaramadhan

Try 'yum clean all; yum update --disablerepo=epel' where 'epel' word with wildcards in front and back word.

NickMNXio

From the release: http://www.openwall.com/lists/oss-security/2015/01/27/9

... "arbitrary code execution can be achieved.
As a proof of concept, we developed a full-fledged remote exploit
against the Exim mail server, bypassing all existing protections
(ASLR, PIE, and NX) on both 32-bit and 64-bit machines."

Read this as -- don't delay, patch today!

mustafaramadhan

If only impact to exim, don't worry for courier mail server (use by Kloxo/Kloxo-MR).

cnbeining

Anything we should do for Ubuntu 12.04?

Had run apt-get update && upgrade, but didn't notice any package related...

rds100

Probably the mirror you are using is not synced yet. There were glibc updates for ubuntu.

0xdragon

@mustafaramadhan said:
Try 'yum clean all; yum update --disablerepo=epel' where 'epel' word with wildcards in front and back word.

You can use backticks for code.

yum clean all; yum update --disablerepo=*epel*

Traffic

Updating on all my boxes. I must really start coding something to automate this...

hostnoob

What was that thing someone mentioned a while back that automatically installs security updates?

It was a package for Debian. like security-updates or something.

0xdragon

@hostnoob said:
What was that thing someone mentioned a while back that automatically installs security updates?

It was a package for Debian. like security-updates or something.

unattended-upgrades?

4n0nx

On Debian:

aptitude show libc6

If it says "Version: 2.13-38+deb7u7", your version is patched. Mine is patched, I don't know if this was done by unattended-upgrades recently.

OpenSUSE, Ubuntu, Fedora and Gentoo should have a new version already (as in they are not vulnerable, unless you use an old version of glibc).

TheLinuxBug

On Debian Squeeze and Wheezy the affected package is eglibc not glibc, you can check here or:

On the other hand, all versions of CentOS 5&6 glibc packages do need updated.

yum -y install glibc

side note: when doing updates earlier on some server I noticed that not all CentOS repos have the new package yet. If you try to update and it says there is no new package, try again a bit later.

Cheers!

Umair

Do we need to reboot server or restart services after that?? Or a simple update to glibc would be enough??

Thanks

mustafaramadhan

No need to reboot.

rds100

While it might not be strictly necessary, it won't hurt to reboot. If it's not something mission critical and the 1-2 minutes of downtime from rebooting wont hurt you, better reboot it. It is better to find out now if something doesn't start properly after a reboot, instead of find out some day at 3 am.

wych

@rds100 but my loverly uptime figure

agentsmith

@Umair said:
Do we need to reboot server or restart services after that?? Or a simple update to glibc would be enough??

you need to restart the processes that have that library loaded (should be almost any process).
you can find out with a command like this:
lsof|grep libc
it also gives you the size of the library so you can differenciate old/new library.

hostnoob

@0xdragon said:
unattended-upgrades?

That's the one. Thanks

JustAMacUser

@wych said:
rds100 but my loverly uptime figure

Mine was only 11 days so I just rebooted it instead of restarting individual services. :-\

Lots of big vulnerabilities over the last year, feels like I'm always running updates.