You are not logged in.

#1 2015-01-28 17:31:18

hextet
Member
Registered: 2015-01-28
Posts: 9

Linux Ghost Vulnerability CVE-2015-0235

Just heard about this, the bug is old (discovered around 2013 I believe) but was just released as a security advisory today or yesterday.

This link shows you how to determine if your system is vulnerable, and how to patch the bug although it doesn't include how to patch on arch systems. I tested my system and it isn't vulnerable, so for the most part if you keep your system up to date it shouldn't be vulnerable either, but it doesn't hurt to check!

http://www.cyberciti.biz/faq/cve-2015-0 … hel-linux/

Offline

#2 2015-01-28 17:36:22

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,787
Website

Re: Linux Ghost Vulnerability CVE-2015-0235

Arch isn't affected because it uses a version of glibc that came after the bug you mentioned was fixed. Only glibc versions pre-dating the original fix are affected, and the patch is now being back ported to those versions.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#3 2015-01-28 17:38:58

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: Linux Ghost Vulnerability CVE-2015-0235

Unless you're deliberately using an older version of glibc with Arch which just so happens to be affected, I don't think we need to be too worried here.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#4 2015-01-28 17:43:25

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: Linux Ghost Vulnerability CVE-2015-0235

I was about to post in this in our grr thread.  Archlinux had the fixed glibc version over a year and a half ago.  Those who say the sky is falling really need to stop and actually look outside once in a while (not referring to this thread - but to my university's IT "professional" who sent out the dumbest email about this to the entire university acting like it was the end of the world).


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2015-01-28 17:48:32

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: Linux Ghost Vulnerability CVE-2015-0235

Trilby wrote:

I was about to post in this in our grr thread.  Archlinux had the fixed glibc version over a year and a half ago.  Those who say the sky is falling really need to stop and actually look outside once in a while (not referring to this thread - but to my university's IT "professional" who sent out the dumbest email about this to the entire university acting like it was the end of the world).

On Google+, there's a guy (who I won't name) going around promoting his article about this security vulnerability, which incidentally written in such a way that mother said "so, all Linux devices, including Android phones, are affected, right?". Same guy seems to write articles monthly about how Linux is dying on the Desktop Computer...

On that note, I wonder whether we need to keep this thread open before it turns into a GRR-fest.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#6 2015-01-28 17:49:27

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 11,787
Website

Re: Linux Ghost Vulnerability CVE-2015-0235

Trilby wrote:

I was about to post in this in our grr thread.  Archlinux had the fixed glibc version over a year and a half ago.  Those who say the sky is falling really need to stop and actually look outside once in a while (not referring to this thread - but to my university's IT "professional" who sent out the dumbest email about this to the entire university acting like it was the end of the world).

S/he's possibly just stressed. I've been doing nothing but sending emails all day advising people to upgrade/how to check if they're affected/scheduling reboots of servers/etc. It's been a pain in the arse, but fortunately a lot of machines in my department are running Ubuntu 14.04, which isn't affected, and most of the others have automatic security updates enabled, so a quick reboot is all that's needed.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#7 2015-01-28 18:01:47

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: Linux Ghost Vulnerability CVE-2015-0235

I like the line from the cybercity link:

"A list of affected Linux distros
...
Arch Linux glibc version <= 2.18-1"

Well...

2013-08-25	upgpkg: glibc 2.18-3	allan	-1/+2
2013-08-16	hack fix strstr issues, patch readdir_r CVE	allan	-5/+311
2013-08-13	upstream update, adjust systemd files to those agreed upstream, remove old pa...	allan	-338/+13
2013-05-30	upgpkg: glibc 2.17-6	allan	-10/+8

EDIT: Oh, overlooked Trilby's post. That's what we get for living on the bleeding edge.

Last edited by Awebb (2015-01-28 18:02:40)

Offline

#8 2015-01-28 18:24:06

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Offline

Board footer

Powered by FluxBB