There is a new vulnerability alert affecting glibc versions 2.9 and above on various Linux distributions. This is a stack-based buffer overflow when the getaddrinfo() library is used. A remote attacker can exploit it with specific domain names and controlled DNS servers or MIM attack.
CVE-2015-7547 has been outlined here here (debian.org), here (redhat.com) and Google online security blog.
First, find out what version of glibc you have.
$ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
A glibc version equal to or greater than 2.9 would mean you have to patch your server at the earliest, if you haven't already. To see the exact version on CentOS run this command.
rpm -qa glibc
This is a list of patched versions: + Debian stable: 2.19-18+deb8u3 (jessie) + Debian testing: 2.21-8 (sid) + CentOS 7: glibc-2.17-106.el7_2.4.x86_64 + CentOS 6: glibc-2.12-1.166.el6_7.7.x86_64 or glibc-2.12-1.166.el6_7.7.i686
Debian and Ubuntu
On Debian and Ubuntu, follow these steps.
sudo apt-get update
sudo apt-get upgrade
sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
You should get something like this:
$ ldd --version ldd (Debian GLIBC 2.19-18) 2.19 Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.
CentOS
On CentOS 7, follow these steps.
sudo yum -y makecache fast
sudo yum clean all
sudo yum -y update glibc
sudo reboot
After it reboots, check the glibc version again to confirm that it is now the patched version.
rpm -qa glibc
It should show this:
glibc-2.17-106.el7_2.4.x86_64
How do I know if I have CentOS 6 or 7?
Run this command:
cat /etc/centos-release
You should get a response like this:
CentOS release 6.5 (Final)
or this:
CentOS Linux release 7.1.1503 (Core)
How do I know which version of Debian I have?
Run this command:
cat /etc/debian_version
You should get a response like this:
8.0
or this:
7.9
Run this command for more specific information:
lsb_release -da
Your output will be similar to this:
$ lsb_release -da No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie
Related Posts
- Disabling SELinux in CentOS 7
- Installing the networking in Debian
- Installing Applications and Servers in Debian GNU/Linux
- How to install Debian GNU/Linux on your computer
- How to install Ubuntu 7.10 Edition v1.0 on your Sony PSP
- How to install Python 3.10.7 from source
- Installing Multimedia in Debian
- Installing X Window on Debian
- Change the server date and time in CentOS
- Install Ruby on Rails from source
- Installing a webcam in Linux
- Patching glibc CVE-2015-7547 Vulnerability
- How to change boot sequence between Windows and Linux
- How to fix the shellshock bash bug vulnerability in bash shell
- Installing Ubuntu Linux in VirtualBox
- apt-get and dpkg commands in Debian
- Upgrading the kernel in Debian
- VirtualBox: How to access guest (CentOS) webserver from the host (Mac OS X) on NAT
- Changing file system from Ext2 to Ext3 in Debian
- Play Prince of Persia on Ubuntu Linux using DOSBox
If you have any questions, please contact me at arulbOsutkNiqlzziyties@gNqmaizl.bkcom. You can also post questions in our Facebook group. Thank you.
