Patching glibc CVE-2015-7547 Vulnerability

Published on 19 February 2016

There is a new vulnerability alert affecting glibc versions 2.9 and above on various Linux distributions. This is a stack-based buffer overflow when the getaddrinfo() library is used. A remote attacker can exploit it with specific domain names and controlled DNS servers or MIM attack.

CVE-2015-7547 has been outlined here here (debian.org), here (redhat.com) and Google online security blog.

First, find out what version of glibc you have.

$ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

A glibc version equal to or greater than 2.9 would mean you have to patch your server at the earliest, if you haven't already. To see the exact version on CentOS run this command.

rpm -qa glibc

This is a list of patched versions: + Debian stable: 2.19-18+deb8u3 (jessie) + Debian testing: 2.21-8 (sid) + CentOS 7: glibc-2.17-106.el7_2.4.x86_64 + CentOS 6: glibc-2.12-1.166.el6_7.7.x86_64 or glibc-2.12-1.166.el6_7.7.i686

Debian and Ubuntu

On Debian and Ubuntu, follow these steps.

sudo apt-get update
sudo apt-get upgrade
sudo reboot

After it reboots, check the glibc version again to confirm that it is now the patched version.

You should get something like this:

$ ldd --version
ldd (Debian GLIBC 2.19-18) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

CentOS

On CentOS 7, follow these steps.

sudo yum -y makecache fast
sudo yum clean all
sudo yum -y update glibc
sudo reboot

After it reboots, check the glibc version again to confirm that it is now the patched version.

rpm -qa glibc

It should show this:

glibc-2.17-106.el7_2.4.x86_64

How do I know if I have CentOS 6 or 7?

Run this command:

cat /etc/centos-release

You should get a response like this:

CentOS release 6.5 (Final)

or this:

CentOS Linux release 7.1.1503 (Core)

How do I know which version of Debian I have?

Run this command:

cat /etc/debian_version

You should get a response like this:

8.0

or this:

7.9

Run this command for more specific information:

lsb_release -da

Your output will be similar to this:

$ lsb_release -da
No LSB modules are available.
Distributor ID:    Debian
Description:       Debian GNU/Linux 8.0 (jessie)
Release:           8.0
Codename:          jessie

Created on 19 February 2016

TAGS: debian, ubuntu, centos, glibc, vulnerability

Affiliate Disclosure: Some of the links to products on this blog are affiliate links. It simply means, at no additional cost to you, we’ll earn a commission if you click through and buy any product.