Author Topic: UPGRADE NOW!  (Read 4501 times)

0 Members and 1 Guest are viewing this topic.

Offline Mad Penguin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1435
  • Karma: 10023
  • Gender: Male
    • View Profile
    • Awards
UPGRADE NOW!
« on: February 17, 2016, 10:57:37 am »
Ok, for anyone who missed it, one of the core Linux maintenance teams appears to have screwed up really badly. As a result, you should really consider upgrading your system ASAP. You will hear people say "yeah, but it's difficult to implement the exploit", and they may be correct. However, once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.

Details of the issue are here; https://sourceware.org/bugzilla/show_bug.cgi?id=18665
The Ubuntu-specific details / fix details are here; http://www.ubuntu.com/usn/usn-2900-1/




Offline Mad Penguin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1435
  • Karma: 10023
  • Gender: Male
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #1 on: February 17, 2016, 11:26:25 am »
How to check if your network is safe; (switch out 'host<n>' for the names of your machines)

Code: [Select]
for host in host1 host2 host3 host4 host5 host6; do echo -n ">$host: "; ssh root@$host apt-cache policy libc6 | grep "Install";done
Quote
>host1:   Installed: 2.21-0ubuntu4.1
>host2:   Installed: 2.19-0ubuntu6.7
>host3:   Installed: 2.19-0ubuntu6.7
>host4:   Installed: 2.19-0ubuntu6.7
>host5:   Installed: 2.21-0ubuntu4.1
>host6:   Installed: 2.21-0ubuntu4.1


The versions you see will depend on the version of LIBC6 on your system. Check with your OS vendor to make sure the versions you have are 'safe', again the Ubuntu page is here; http://www.ubuntu.com/usn/usn-2900-1/

Offline Mark Greaves (PCNetSpec)

  • Hero Member
  • *****
  • Posts: 18277
  • Karma: 479
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #2 on: February 17, 2016, 08:21:56 pm »
TVM, I've posted an advisory on the Peppermint forum to run a full system update .. the patched libc6 is already in the repos :)
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline Screagle

  • Jr. Member
  • **
  • Posts: 38
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #3 on: February 19, 2016, 03:55:33 pm »
Mark, many thanks for notification.  As it happens I'm in the habit of using the Refresh tab on Update Manager every couple of days regardless of whether or not updates are flagged by ! on the toolbar.  Probably a bit 'belt and braces' for some but works for me...   
Peppermint Six Acer ZG5 1.5Gb RAM 64Gb SSD

Offline galaxytdm

  • Ubuntu 11.04
  • Sr. Member
  • ****
  • Posts: 335
  • Karma: 7
  • Gender: Male
  • Something Something dark side
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #4 on: February 20, 2016, 11:16:30 am »
Hmmm.
I'm a little worried about the sanity of Linux users in general here.  ::)
MP posted this at 11:00 am as "Linux maintenance teams appears to have screwed up really badly" and "once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open."
Then a mere 10 hours later MG tells us that the problem has been patched and rolled out. The update took 2 minutes and didn't break anything.
I think paranoia is running a little high there.  ;)
From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.
If you need help ask a professional, then act upon their advice.
Anything less and you're just wasting peoples time.

Offline wishbone

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
  • I've just joined!
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #5 on: February 20, 2016, 08:36:43 pm »

From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.

Seconded, what an incredible bunch of people out there, and on this forum as well. 8)

Offline Mad Penguin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1435
  • Karma: 10023
  • Gender: Male
    • View Profile
    • Awards
Re: UPGRADE NOW!
« Reply #6 on: February 21, 2016, 02:50:47 am »
Yeah. Unfortunately. There are a few issues ..

1. Ubuntu server installs *do not* activate automatic updates by default - there are by all accounts, many millions out there
2. Lots of people disable automatic updates, or at least ignore them until there is a problem
3. Only *SOME* versions have been patched. If you're on 15.04, you are still exposed unless you've compiled your own patch!

This is NOT paranoia - you have been warned!

1. You may like to read this; http://www.theregister.co.uk/2016/02/20/glibc_kaminsky_cve_2015_7547/
2. You may note from this article - the exploit is now "out there" !!

The update takes 30 seconds and doesn't break anything, IF you do the update and IF you are on a version of Linux that has been patched.
- the issue has been outstanding for many many years, and known about for over a year by the security community, apparently Redhat filed it as something to look into about a year ago. So, all of the above within the context of "assuming you've not already been pwned". If it took Yahoo engineers a couple of days to engineer an exploit, and given "others" have known about the exploit for over a year .. does that not send a shiver down your spine???

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal