Thanks, Dan!
On 2/19/2016 9:08 AM, Dan McAllister wrote:
Gentle Readers:
Google and Red Hat have independently discovered a *serious
*vulnerability in glibc, present since the release of version 2.9 --
_remote code execution is more than just a __/theoretical
/__possibility!_
Detailed technical details are available on the Google security blog
at
/_https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html_/,
but essentially, the glibc DNS client side resolver is vulnerable to a
stack-based buffer overflow when the gettaddrinfo() library function
is used. (This is the access of the servers listed in /etc/resolv.conf
to execute DNS lookups - and has /_*NOTHING TO DO*_/ with hosting your
own DNS server or resolver!)
*If you are running a mail server (QMail or other), you are relying
HEAVILY on this library ... at EXACTLY the crux of this vulnerability!
Do yourself a favor and update TODAY (or, at the very least, over the
weekend!).
*
If you are running RHEL or CentOS 6 or 7, you are likely vulnerable.
(If you are still on RHEL or CentOS 4 or 5, your procrastination has
accidentally served you well - you never got the update to 2.9, and so
while you do have other vulnerabilities, you don't have THIS ONE!).
Red Hat has released a PATCH -- and in 6, you will have to reboot to
effect the change. Fortunately, in 7 there is a command that will swap
in the new glibc "live". (See below)
The earliest *PATCHED *versions of glibc for RedHat/CentOS are:
- RHEL/COS 6 : *glibc-2.12-1.166.el6_7.7 *
- RHEL/COS 7 : *glibc-2.17-106.el7_2.4 *
NOTE: On 7, you can run the command: _*systemctl daemon-reexec*_
to load the updated library, and thus avoid a reboot.
/_*If you haven't updated your system within the past day or two, you
likely need this patch! *_/A simple _*yum update -y*_ should get you
the newest version, as the REPOs should all have the latest release by
now.
/_*
*_/Have a good weekend! LOL
Dan McAllister
IT4SOHO
PS: Yes, I have over 40 Linux servers that will have to be managed in
the next 2-3 days... happy working weekend for me!
