Blog: How Tos

glibc stack-based buffer overflow. What you need to know: UPDATE

Pedro Venda 24 Feb 2016

If you’re responsible for maintaining any type of Linux hosts, surely you’ve heard of the recent glibc bug and critical vulnerability CVE-2015-7547 (my colleague Andrew wrote about it earlier).

This is Google’s write-up:

So, you’ve patched and rebooted everything, right?

If not, go do it now and follow the cheat sheet below to make things easier:

Distribution Package Patched version Advisory
Red Hat glibc Too many variations to list – see advisory and corresponding errata document
Ubuntu 12.04 LTS libc6 2.15-0ubuntu10.13
Ubuntu 14.04 LTS libc6 2.19-0ubuntu6.7
Ubuntu 15.10 libc6 2.21-0ubuntu4.1
Debian 6 (squeeze) eglibc 2.11.3-4+deb6u11
Debian 7 (wheezy) eglibc 2.13-38+deb7u10
Debian 8 (jessie) glibc 2.19-18+deb8u3
SuSE (SLES 11 or later) glibc Too many variations to list – see advisory
Gentoo sys-libs/glibc 2.21-r2


Do keep in mind that glibc is just about the single most fundamental and core C library of your system – it all packages link to it statically (less likely) or dynamically (more likely). A patch like this would have low to no impact in the system but there is no safety net!

Any distribution maintained package should be OK with this kind of upgrade (that’s what a package management system exists for) but any custom developed software might need more careful consideration.

If you forget everything else in this post, remember this: “Go patch glibc now!”