cancel
Showing results for 
Search instead for 
Did you mean: 

Major vulnerability in Linux

Community Veteran
Posts: 26,718
Thanks: 931
Fixes: 10
Registered: 10-04-2007

Major vulnerability in Linux

So much for the claims that Linux is more secure than Windows!
http://www.bbc.co.uk/news/technology-35592916
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
10 REPLIES
SpendLessTime
Aspiring Hero
Posts: 2,600
Thanks: 699
Fixes: 67
Registered: 21-09-2009

Re: Major vulnerability in Linux

Solution from Google while you wait for the library to be patched.
Quote
Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.

So basically only use trusted DNS servers e.g. google
For more see google security blog https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Community Veteran
Posts: 5,471
Thanks: 1,450
Fixes: 34
Registered: 16-10-2014

Re: Major vulnerability in Linux

Quote from: spoon
So much for the claims that Linux is more secure than Windows!

That's because it is. Have a look in your Windows Update History to see how many of them start with "Security Update...".
To be fair this is a bit of a screamer as it's been known about since 2008, but I assume due to the complexity of actually exploiting it the developers ranked it as a low priority, well I hope that was their reasoning!
Community Veteran
Posts: 6,773
Thanks: 257
Fixes: 20
Registered: 16-02-2009

Re: Major vulnerability in Linux

Well another non issue again  Wink
Quote
Google said that a number of exploitation vectors can be used to attack this vulnerability, including but not limited to ssh, sudo and curl.
“Remote code execution is possible, but not straightforward,” Serna said. “It requires bypassing the security mitigations present on the system, such as ASLR.”

So unless they are actually able to get the to the ROOT user (sudo/su etc) then it just isn't doing anything.
There are SO SO MANY easier ways to hack M$, let me count they ways  Grin (or even Linux/Mac's using Flash if it is installed, not on my machines!)
summers
Grafter
Posts: 133
Thanks: 2
Registered: 01-06-2014

Re: Major vulnerability in Linux

Well it will be hard to find an exploit. Also watch how long it take gnu glibc to come out with a fix. I'd expect it to only be a few days.
All OS tend to get vulerabilities at times, the question this isn't that they get them, but how often, and how long does it take to fix?
Community Veteran
Posts: 5,471
Thanks: 1,450
Fixes: 34
Registered: 16-10-2014

Re: Major vulnerability in Linux

Just done a system update on my Arch Linux machine and guess what I got :
glibc-2.22-4-x86_64

Not even 12 hours old.  Grin

Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Major vulnerability in Linux

It's only being announced now because the fixes are ready.
VileReynard
Seasoned Pro
Posts: 10,995
Thanks: 265
Fixes: 11
Registered: 01-09-2007

Re: Major vulnerability in Linux

Quote from: Mook
Just done a system update on my Arch Linux machine and guess what I got :
glibc-2.22-4-x86_64

I didn't do an update on my LMDE (Debian) machine
Quote
ldd --version
and guess what I got?
Quote
ldd (Debian GLIBC 2.19-18+deb8u3) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

AFAIK Debian GLIBC 2.19-18+deb8u3 is a fixed version - although I believe
Libre Office includes GLIBC 2.19-18+deb8u2 (which is the bug version), update issued.

Community Veteran
Posts: 2,286
Thanks: 109
Fixes: 4
Registered: 18-02-2013

Re: Major vulnerability in Linux

Quote from: ejs
It's only being announced now because the fixes are ready.

Typical!
Well, they are still working on wheezy RPi  https://www.raspberrypi.org/forums/viewtopic.php?t=136598&p=907941
I'm testing jessie (with updates) now.
Community Veteran
Posts: 6,773
Thanks: 257
Fixes: 20
Registered: 16-02-2009

Re: Major vulnerability in Linux

Given the fact it was known about last JULY what is the rush guys? Seriously if a hack had happened it would have happened by now.
Chill out and have a beer
Community Veteran
Posts: 2,286
Thanks: 109
Fixes: 4
Registered: 18-02-2013

Re: Major vulnerability in Linux

Wheezy seems to be updated
"by plugwash » Thu Feb 18, 2016 11:45 am
Version 2.13-38+rpi2+deb7u10 should now be available."
YUP!
sudo apt-get upgrade
Reading package lists... Done
Building dependency tree     
Reading state information... Done
The following packages will be upgraded:
  libc-bin libc-dev-bin libc6 libc6-dev locales multiarch-support
6 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.7 MB of archives.
After this operation, 638 kB disk space will be freed.
Do you want to continue [Y/n]?