Blog: How Tos
glibc stack-based buffer overflow. What you need to know: UPDATE
If you’re responsible for maintaining any type of Linux hosts, surely you’ve heard of the recent glibc bug and critical vulnerability CVE-2015-7547 (my colleague Andrew wrote about it earlier).
This is Google’s write-up: https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
So, you’ve patched and rebooted everything, right?
If not, go do it now and follow the cheat sheet below to make things easier:
|Red Hat||glibc||Too many variations to list – see advisory and corresponding errata document||https://access.redhat.com/security/cve/cve-2015-7547|
|Ubuntu 12.04 LTS||libc6||2.15-0ubuntu10.13||http://www.ubuntu.com/usn/usn-2900-1/|
|Ubuntu 14.04 LTS||libc6||2.19-0ubuntu6.7||http://www.ubuntu.com/usn/usn-2900-1/|
|Debian 6 (squeeze)||eglibc||2.11.3-4+deb6u11||https://security-tracker.debian.org/tracker/CVE-2015-7547|
|Debian 7 (wheezy)||eglibc||2.13-38+deb7u10||https://security-tracker.debian.org/tracker/CVE-2015-7547|
|Debian 8 (jessie)||glibc||2.19-18+deb8u3||https://security-tracker.debian.org/tracker/CVE-2015-7547|
|SuSE (SLES 11 or later)||glibc||Too many variations to list – see advisory||https://www.suse.com/security/cve/CVE-2015-7547.html|
Do keep in mind that glibc is just about the single most fundamental and core C library of your system – it all packages link to it statically (less likely) or dynamically (more likely). A patch like this would have low to no impact in the system but there is no safety net!
Any distribution maintained package should be OK with this kind of upgrade (that’s what a package management system exists for) but any custom developed software might need more careful consideration.
If you forget everything else in this post, remember this: “Go patch glibc now!”