Gentle Readers:
Google and Red Hat have independently discovered a *serious
*vulnerability in glibc, present since the release of version 2.9 --
_remote code execution is more than just a __/theoretical /__possibility!_
Detailed technical details are available on the Google security blog at
/_https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html_/,
but essentially, the glibc DNS client side resolver is vulnerable to a
stack-based buffer overflow when the gettaddrinfo() library function is
used. (This is the access of the servers listed in /etc/resolv.conf to
execute DNS lookups - and has /_*NOTHING TO DO*_/ with hosting your own
DNS server or resolver!)
*If you are running a mail server (QMail or other), you are relying
HEAVILY on this library ... at EXACTLY the crux of this vulnerability!
Do yourself a favor and update TODAY (or, at the very least, over the
weekend!).
*
If you are running RHEL or CentOS 6 or 7, you are likely vulnerable. (If
you are still on RHEL or CentOS 4 or 5, your procrastination has
accidentally served you well - you never got the update to 2.9, and so
while you do have other vulnerabilities, you don't have THIS ONE!).
Red Hat has released a PATCH -- and in 6, you will have to reboot to
effect the change. Fortunately, in 7 there is a command that will swap
in the new glibc "live". (See below)
The earliest *PATCHED *versions of glibc for RedHat/CentOS are:
- RHEL/COS 6 : *glibc-2.12-1.166.el6_7.7 *
- RHEL/COS 7 : *glibc-2.17-106.el7_2.4 *
NOTE: On 7, you can run the command: _*systemctl daemon-reexec*_ to
load the updated library, and thus avoid a reboot.
/_*If you haven't updated your system within the past day or two, you
likely need this patch! *_/A simple _*yum update -y*_ should get you the
newest version, as the REPOs should all have the latest release by now.
/_*
*_/Have a good weekend! LOL
Dan McAllister
IT4SOHO
PS: Yes, I have over 40 Linux servers that will have to be managed in
the next 2-3 days... happy working weekend for me!
