There is a new vulnerability alert affecting glibc versions 2.9 and above on various Linux distributions. This is a stack-based buffer overflow when the getaddrinfo() library is used. A remote attacker can exploit it with specific domain names and controlled DNS servers or MIM attack.
CVE-2015-7547 has been outlined here here (debian.org), here (redhat.com) and Google online security blog.
First, find out what version of glibc you have.
$ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
A glibc version equal to or greater than 2.9 would mean you have to patch your server at the earliest, if you haven't already. To see the exact version on CentOS run this command.
rpm -qa glibc
This is a list of patched versions: + Debian stable: 2.19-18+deb8u3 (jessie) + Debian testing: 2.21-8 (sid) + CentOS 7: glibc-2.17-106.el7_2.4.x86_64 + CentOS 6: glibc-2.12-1.166.el6_7.7.x86_64 or glibc-2.12-1.166.el6_7.7.i686
Debian and Ubuntu
On Debian and Ubuntu, follow these steps.
sudo apt-get update
sudo apt-get upgrade
sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
You should get something like this:
$ ldd --version ldd (Debian GLIBC 2.19-18) 2.19 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.
CentOS
On CentOS 7, follow these steps.
sudo yum -y makecache fast
sudo yum clean all
sudo yum -y update glibc
sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
rpm -qa glibc
It should show this:
glibc-2.17-106.el7_2.4.x86_64
How do I know if I have CentOS 6 or 7?
Run this command:
cat /etc/centos-release
You should get a response like this:
CentOS release 6.5 (Final)
or this:
CentOS Linux release 7.1.1503 (Core)
How do I know which version of Debian I have?
Run this command:
cat /etc/debian_version
You should get a response like this:
8.0
or this:
7.9
Run this command for more specific information:
lsb_release -da
Your output will be similar to this:
$ lsb_release -da No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie
Related Posts
If you have any questions, please contact me at arulbOsutkNiqlzziyties@gNqmaizl.bkcom. You can also post questions in our Facebook group. Thank you.