Updates:

Many new features now available including 2-Factor authentication

UPGRADE NOW!

Started by Mad Penguin, February 17, 2016, 10:57:37 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Mad Penguin

Ok, for anyone who missed it, one of the core Linux maintenance teams appears to have screwed up really badly. As a result, you should really consider upgrading your system ASAP. You will hear people say "yeah, but it's difficult to implement the exploit", and they may be correct. However, once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.

Details of the issue are here; https://sourceware.org/bugzilla/show_bug.cgi?id=18665 (https://sourceware.org/bugzilla/show_bug.cgi?id=18665)
The Ubuntu-specific details / fix details are here; http://www.ubuntu.com/usn/usn-2900-1/ (http://www.ubuntu.com/usn/usn-2900-1/)



https://twitter.com/garethbult
https://gareth.bult.co.uk

Mad Penguin

How to check if your network is safe; (switch out 'host<n>' for the names of your machines)

for host in host1 host2 host3 host4 host5 host6; do echo -n ">$host: "; ssh [email protected]$host apt-cache policy libc6 | grep "Install";done
Quote
>host1:   Installed: 2.21-0ubuntu4.1
>host2:   Installed: 2.19-0ubuntu6.7
>host3:   Installed: 2.19-0ubuntu6.7
>host4:   Installed: 2.19-0ubuntu6.7
>host5:   Installed: 2.21-0ubuntu4.1
>host6:   Installed: 2.21-0ubuntu4.1

The versions you see will depend on the version of LIBC6 on your system. Check with your OS vendor to make sure the versions you have are 'safe', again the Ubuntu page is here; http://www.ubuntu.com/usn/usn-2900-1/ (http://www.ubuntu.com/usn/usn-2900-1/)
https://twitter.com/garethbult
https://gareth.bult.co.uk


Mark Greaves (PCNetSpec)

TVM, I've posted an advisory on the Peppermint forum to run a full system update .. the patched libc6 is already in the repos :)
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Screagle

Mark, many thanks for notification.  As it happens I'm in the habit of using the Refresh tab on Update Manager every couple of days regardless of whether or not updates are flagged by ! on the toolbar.  Probably a bit 'belt and braces' for some but works for me...   
Peppermint Six Acer ZG5 1.5Gb RAM 64Gb SSD

galaxytdm

Hmmm.
I'm a little worried about the sanity of Linux users in general here.  ::)
MP posted this at 11:00 am as "Linux maintenance teams appears to have screwed up really badly" and "once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open."
Then a mere 10 hours later MG tells us that the problem has been patched and rolled out. The update took 2 minutes and didn't break anything.
I think paranoia is running a little high there.  ;)
From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.
If you need help ask a professional, then act upon their advice.
Anything less and you're just wasting peoples time.


wishbone

Quote from: galaxytdm on February 20, 2016, 11:16:30 AM

From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.

Seconded, what an incredible bunch of people out there, and on this forum as well. 8)

Mad Penguin

Yeah. Unfortunately. There are a few issues ..

1. Ubuntu server installs *do not* activate automatic updates by default - there are by all accounts, many millions out there
2. Lots of people disable automatic updates, or at least ignore them until there is a problem
3. Only *SOME* versions have been patched. If you're on 15.04, you are still exposed unless you've compiled your own patch!

This is NOT paranoia - you have been warned!

1. You may like to read this; http://www.theregister.co.uk/2016/02/20/glibc_kaminsky_cve_2015_7547/ (http://www.theregister.co.uk/2016/02/20/glibc_kaminsky_cve_2015_7547/)
2. You may note from this article - the exploit is now "out there" !!

The update takes 30 seconds and doesn't break anything, IF you do the update and IF you are on a version of Linux that has been patched.
- the issue has been outstanding for many many years, and known about for over a year by the security community, apparently Redhat filed it as something to look into about a year ago. So, all of the above within the context of "assuming you've not already been pwned". If it took Yahoo engineers a couple of days to engineer an exploit, and given "others" have known about the exploit for over a year .. does that not send a shiver down your spine???
https://twitter.com/garethbult
https://gareth.bult.co.uk