New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GLIBC Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Looks like everyone should check and update glibc as necessary.
Comments
yum update shows that CE6 glibc updates are out on some mirrors but not all yet.
To check on CE6
rpm -qa | grep glibc
Vulnerable
Not vulnerable
There are more updates than just GLIBC , there have been many vulnerabilities lately.
http://www.openwall.com/lists/oss-security/2015/01/27/9
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc
http://cloudlinux.com/blog/clnews/612.php
Relies on GLIBC exploit.
https://rhn.redhat.com/errata/RHSA-2015-0092.html
Updated!
That usermin/webmin stuff is not OS related.
The nature of this particular vulnerability really caught me off guard. An exim HELO check of all things appears to be one potential entry point. Luckily it seems that everyone jumped on this pretty quickly.
One of my boxes won't update, stupid EPEL...
Seen issues like this related to the recent nss-softokn yum problem.
https://www.centos.org/forums/viewtopic.php?f=14&t=50588
Try this (Cent 6 x64)
Try 'yum clean all; yum update --disablerepo=epel' where 'epel' word with wildcards in front and back word.
From the release: http://www.openwall.com/lists/oss-security/2015/01/27/9
... "arbitrary code execution can be achieved.
As a proof of concept, we developed a full-fledged remote exploit
against the Exim mail server, bypassing all existing protections
(ASLR, PIE, and NX) on both 32-bit and 64-bit machines."
Read this as -- don't delay, patch today!
If only impact to exim, don't worry for courier mail server (use by Kloxo/Kloxo-MR).
Anything we should do for Ubuntu 12.04?
Had run apt-get update && upgrade, but didn't notice any package related...
Probably the mirror you are using is not synced yet. There were glibc updates for ubuntu.
You can use backticks for code.
yum clean all; yum update --disablerepo=*epel*
Updating on all my boxes. I must really start coding something to automate this...
What was that thing someone mentioned a while back that automatically installs security updates?
It was a package for Debian. like security-updates or something.
unattended-upgrades
?On Debian:
aptitude show libc6
If it says "Version: 2.13-38+deb7u7", your version is patched. Mine is patched, I don't know if this was done by unattended-upgrades recently.
OpenSUSE, Ubuntu, Fedora and Gentoo should have a new version already (as in they are not vulnerable, unless you use an old version of glibc).
On Debian Squeeze and Wheezy the affected package is eglibc not glibc, you can check here or:
On the other hand, all versions of CentOS 5&6 glibc packages do need updated.
yum -y install glibc
side note: when doing updates earlier on some server I noticed that not all CentOS repos have the new package yet. If you try to update and it says there is no new package, try again a bit later.
Cheers!
Do we need to reboot server or restart services after that?? Or a simple update to glibc would be enough??
Thanks
No need to reboot.
While it might not be strictly necessary, it won't hurt to reboot. If it's not something mission critical and the 1-2 minutes of downtime from rebooting wont hurt you, better reboot it. It is better to find out now if something doesn't start properly after a reboot, instead of find out some day at 3 am.
@rds100 but my loverly uptime figure
you need to restart the processes that have that library loaded (should be almost any process).
you can find out with a command like this:
lsof|grep libc
it also gives you the size of the library so you can differenciate old/new library.
That's the one. Thanks
Mine was only 11 days so I just rebooted it instead of restarting individual services. :-\
Lots of big vulnerabilities over the last year, feels like I'm always running updates.