Major vulnerability in Linux

jelv · ‎10-04-2007

So much for the claims that Linux is more secure than Windows!
http://www.bbc.co.uk/news/technology-35592916
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

SpendLessTime · ‎21-09-2009

Solution from Google while you wait for the library to be patched.

Quote
Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.

So basically only use trusted DNS servers e.g. google
For more see google security blog https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Ex - Plusnet Customer (2009 - 2023) now with BT

Anonymous · ‎17-02-2016

Quote from: spoon
So much for the claims that Linux is more secure than Windows!

That's because it is. Have a look in your Windows Update History to see how many of them start with "Security Update...".
To be fair this is a bit of a screamer as it's been known about since 2008, but I assume due to the complexity of actually exploiting it the developers ranked it as a low priority, well I hope that was their reasoning!

HairyMcbiker · ‎16-02-2009

Well another non issue again

Quote
Google said that a number of exploitation vectors can be used to attack this vulnerability, including but not limited to ssh, sudo and curl.
“Remote code execution is possible, but not straightforward,” Serna said. “It requires bypassing the security mitigations present on the system, such as ASLR.”

So unless they are actually able to get the to the ROOT user (sudo/su etc) then it just isn't doing anything.
There are SO SO MANY easier ways to hack M$, let me count they ways

(or even Linux/Mac's using Flash if it is installed, not on my machines!)

summers · ‎01-06-2014

Well it will be hard to find an exploit. Also watch how long it take gnu glibc to come out with a fix. I'd expect it to only be a few days.
All OS tend to get vulerabilities at times, the question this isn't that they get them, but how often, and how long does it take to fix?

Anonymous · ‎17-02-2016

Just done a system update on my Arch Linux machine and guess what I got :

glibc-2.22-4-x86_64

Not even 12 hours old.

ejs · ‎10-06-2010

It's only being announced now because the fixes are ready.

VileReynard · ‎01-09-2007

Quote from: Mook
Just done a system update on my Arch Linux machine and guess what I got :
glibc-2.22-4-x86_64

I didn't do an update on my LMDE (Debian) machine

Quote

ldd --version

and guess what I got?

Quote

ldd (Debian GLIBC 2.19-18+deb8u3) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

AFAIK Debian GLIBC 2.19-18+deb8u3 is a fixed version - although I believe
Libre Office includes GLIBC 2.19-18+deb8u2 (which is the bug version), update issued.

"In The Beginning Was The Word, And The Word Was Aardvark."

30FTTC06 · ‎18-02-2013

Quote from: ejs
It's only being announced now because the fixes are ready.

Typical!
Well, they are still working on wheezy RPi https://www.raspberrypi.org/forums/viewtopic.php?t=136598&p=907941
I'm testing jessie (with updates) now.

HairyMcbiker · ‎16-02-2009

Given the fact it was known about last JULY what is the rush guys? Seriously if a hack had happened it would have happened by now.
Chill out and have a beer

30FTTC06 · ‎18-02-2013

Wheezy seems to be updated
"by plugwash » Thu Feb 18, 2016 11:45 am
Version 2.13-38+rpi2+deb7u10 should now be available."
YUP!
sudo apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
libc-bin libc-dev-bin libc6 libc6-dev locales multiarch-support
6 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.7 MB of archives.
After this operation, 638 kB disk space will be freed.
Do you want to continue [Y/n]?