thanks Jhon is secur...@cloudstack.apache.org a mail list?
how to join it? 2015-01-29 5:05 GMT+08:00 John Kinsella <j...@stratosec.co>: > FYI the blog post mentioned below now has links to updated SSVM templates. > >> On Jan 28, 2015, at 11:49 AM, John Kinsella <j...@stratosec.co> wrote: >> >> Folks - just posted mitigation details at [1]. An updated SSVM template is >> being QAed, once released the post will be updated with links and we’ll >> mention here as well. >> >> John >> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc >> >> On Jan 28, 2015, at 4:55 AM, Rohit Yadav >> <rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>> wrote: >> >> Hi, >> >> While it's a general public news, everyone is requested and encouraged >> to use the security mailing list in future to report anything. For more >> details please read: http://cloudstack.apache.org/security.html >> >> Thanks and regards. >> >> On Wednesday 28 January 2015 03:34 PM, >> linux...@gmail.com<mailto:linux...@gmail.com> wrote: >> A critical vulnerability has been found in glibc, the GNU C library, >> that affects all Linux systems dating back to 2000. Attackers can use >> this flaw to execute code and remotely gain control of Linux machines. >> >> The issue stems from a heap-based buffer overflow found in the >> __nss_hostname_digits_dots() function in glibc. That particular >> function is used by the _gethostbyname function calls. >> >> Related Posts >> >> Shellshock Worm Exploiting Unpatched QNAP NAS Devices >> >> December 15, 2014 , 11:35 am >> >> Linux Modules Connected to Turla APT Discovered >> >> December 9, 2014 , 10:26 am >> >> Bash Exploit Reported, First Round of Patches Incomplete >> >> September 25, 2014 , 11:41 am >> >> “A remote attacker able to make an application call either of these >> functions could use this flaw to execute arbitrary code with the >> permissions of the user running the application,” said an advisory >> from Linux distributor Red Hat. >> >> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST >> because of its relation to the _gethostbyname function. Researchers at >> Qualys discovered the flaw, and say it goes back to glibc version 2.2 >> in Linux systems published in November 2000. >> >> According to Qualys, there is a mitigation for this issue that was >> published May 21, 2013 between patch glibc-2.17 versions and >> glibc-2.18. >> >> “Unfortunately, it was not recognized as a security threat; as a >> result, most stable and long-term-support distributions were left >> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 >> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from >> Qualys posted to the OSS-Security mailing list. >> >> Respective Linux distributions will be releasing patches; Red Hat has >> released an update for Red Hat Enterprise Linux v.5 server. Novell has >> a list of SUSE Linux Enterprise Server builds affected by the >> vulnerability. Debian has already released an update of its software >> addressing the vulnerability. >> >> “It’s everywhere, which is kind of the urgency we have here. This has >> been in glibc for a long time. It was fixed recently, but it was not >> marked as a security issue, so things that are fairly new should be >> OK,” said Josh Bressers, a member of the Red Hat security response >> team. “From a threat level, what it comes down to is a handful of >> stuff that’s probably dangerous that uses this function.” >> >> Unlike past Internet-wide bugs such as Bash, patching glibc may not be >> the chore it was with Bash since so many components made silent Bash >> calls. >> >> “In this instance, you just apply the glibc update, and restart any >> services that are vulnerable,” Bressers said. “It’s not confusing like >> Shellshock was.” >> >> Qualys, in its advisory, not only shares extremely in-depth technical >> information on the vulnerability, but also includes a section >> explaining exploitation of the Exim SMTP mail server. The advisory >> demonstrates how to bypass NX, or No-eXecute protection as well as >> glibc malloc hardening, Qualys said. >> >> Qualys also said that in addition to the 2013 patch, other factors >> mitigate the impact of the vulnerability, including the fact that the >> gethostbyname functions are obsolete because of IPv6 and newer >> applications using a different call, getaddrinfo(). While the flaw is >> also exploitable locally, this scenario too is mitigated because many >> programs rely on gethostbyname only if another preliminary call fails >> and a secondary call succeeds in order to reach the overflow. The >> advisory said this is “impossible” and those programs are safe. >> >> There are mitigations against remote exploitation too, Qualys said. >> Servers, for example, use gethostbyname to perform full-circle reverse >> DNS checks. “These programs are generally safe because the hostname >> passed to gethostbyname() has normally been pre-validated by DNS >> software,” the advisory. >> >> “It’s not looking like a huge remote problem, right now,” Bressers said. >> >> However, while the bug may have been dormant since 2000, there is no >> way to tell if criminals or government-sponsored hackers have been >> exploiting this vulnerability. Nor is there any way to tell what will >> happen once legitimate security researchers—and black hats—begin >> looking at the vulnerability now that it’s out in the open. With Bash, >> for example, it didn’t take long for additional security issues to >> rise to the surface. >> >> - See more at: >> https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf >> >> >> >> >> >> >> >> -- >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 8826230892 | >> rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> >> Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab >> PS. If you see any footer below, I did not add it :) >> Find out more about ShapeBlue and our range of CloudStack related services >> >> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> CloudStack Software >> Engineering<http://shapeblue.com/cloudstack-software-engineering/> >> CloudStack Infrastructure >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> >> CloudStack Bootcamp Training >> Courses<http://shapeblue.com/cloudstack-training/> >> >> This email and any attachments to it may be confidential and are intended >> solely for the use of the individual to whom it is addressed. Any views or >> opinions expressed are solely those of the author and do not necessarily >> represent those of Shape Blue Ltd or related companies. If you are not the >> intended recipient of this email, you must neither take any action based >> upon its contents, nor copy or show it to anyone. Please contact the sender >> if you believe you have received this email in error. Shape Blue Ltd is a >> company incorporated in England & Wales. ShapeBlue Services India LLP is a >> company incorporated in India and is operated under license from Shape Blue >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil >> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a >> company registered by The Republic of South Africa and is traded under >> license from Shape Blue Ltd. ShapeBlue is a registered trademark. >> > -- 白清杰 (Born Bai) Mail: linux...@gmail.com
