Patching glibc CVE-2015-7547 Vulnerability
There is a new vulnerability alert affecting glibc versions 2.9 and above on various Linux distributions. This is a stack-based buffer overflow when the getaddrinfo()
library is used. A remote attacker can exploit it with specific domain names and controlled DNS servers or MIM attack.
CVE-2015-7547 has been outlined here here (debian.org), here (redhat.com) and Google online security blog.
First, find out what version of glibc you have.
$ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
A glibc version equal to or greater than 2.9 would mean you have to patch your server at the earliest, if you haven't already. To see the exact version on CentOS run this command.
rpm -qa glibc
This is a list of patched versions: + Debian stable: 2.19-18+deb8u3 (jessie) + Debian testing: 2.21-8 (sid) + CentOS 7: glibc-2.17-106.el7_2.4.x86_64 + CentOS 6: glibc-2.12-1.166.el6_7.7.x86_64 or glibc-2.12-1.166.el6_7.7.i686
Debian and Ubuntu
On Debian and Ubuntu, follow these steps.
sudo apt-get update sudo apt-get upgrade sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
You should get something like this:
$ ldd --version ldd (Debian GLIBC 2.19-18) 2.19 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.
CentOS
On CentOS 7, follow these steps.
sudo yum -y makecache fast sudo yum clean all sudo yum -y update glibc sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
rpm -qa glibc
It should show this:
glibc-2.17-106.el7_2.4.x86_64
How do I know if I have CentOS 6 or 7?
Run this command:
cat /etc/centos-release
You should get a response like this:
CentOS release 6.5 (Final)
or this:
CentOS Linux release 7.1.1503 (Core)
How do I know which version of Debian I have?
Run this command:
cat /etc/debian_version
You should get a response like this:
8.0
or this:
7.9
Run this command for more specific information:
lsb_release -da
Your output will be similar to this:
$ lsb_release -da No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie
Created on 19 February 2016
Affiliate Disclosure: Some of the links to products on this blog are affiliate links. It simply means, at no additional cost to you, we’ll earn a commission if you click through and buy any product.