UPGRADE NOW!

madpenguin · 17 February 2016 10:57

Ok, for anyone who missed it, one of the core Linux maintenance teams appears to have screwed up really badly. As a result, you should really consider upgrading your system ASAP. You will hear people say “yeah, but it’s difficult to implement the exploit”, and they may be correct. However, once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.

Details of the issue are here; https://sourceware.org/bugzilla/show_bug.cgi?id=18665
The Ubuntu-specific details / fix details are here; USN-2900-1: GNU C Library vulnerability | Ubuntu security notices | Ubuntu

madpenguin · 17 February 2016 11:26

How to check if your network is safe; (switch out ‘host’ for the names of your machines)

for host in host1 host2 host3 host4 host5 host6; do echo -n ">$host: "; ssh root@$host apt-cache policy libc6 | grep "Install";done

>host1: Installed: 2.21-0ubuntu4.1 >host2: Installed: 2.19-0ubuntu6.7 >host3: Installed: 2.19-0ubuntu6.7 >host4: Installed: 2.19-0ubuntu6.7 >host5: Installed: 2.21-0ubuntu4.1 >host6: Installed: 2.21-0ubuntu4.1

The versions you see will depend on the version of LIBC6 on your system. Check with your OS vendor to make sure the versions you have are 'safe', again the Ubuntu page is here; http://www.ubuntu.com/usn/usn-2900-1/

Mark_Greaves_PCNetSp · 17 February 2016 20:21

TVM, I’ve posted an advisory on the Peppermint forum to run a full system update … the patched libc6 is already in the repos

Screagle · 19 February 2016 15:55

Mark, many thanks for notification. As it happens I’m in the habit of using the Refresh tab on Update Manager every couple of days regardless of whether or not updates are flagged by ! on the toolbar. Probably a bit ‘belt and braces’ for some but works for me…

galaxytdm · 20 February 2016 11:16

Hmmm.
I’m a little worried about the sanity of Linux users in general here. :
MP posted this at 11:00 am as “Linux maintenance teams appears to have screwed up really badly” and “once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.”
Then a mere 10 hours later MG tells us that the problem has been patched and rolled out. The update took 2 minutes and didn’t break anything.
I think paranoia is running a little high there.
From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.

wishbone · 20 February 2016 20:36

Seconded, what an incredible bunch of people out there, and on this forum as well. 8)

madpenguin · 21 February 2016 02:50

Yeah. Unfortunately. There are a few issues …

Ubuntu server installs do not activate automatic updates by default - there are by all accounts, many millions out there
Lots of people disable automatic updates, or at least ignore them until there is a problem
Only SOME versions have been patched. If you’re on 15.04, you are still exposed unless you’ve compiled your own patch!

This is NOT paranoia - you have been warned!

You may like to read this; Dan Kaminsky is an expert on DNS security – and he's saying: Patch right God damn now • The Register
You may note from this article - the exploit is now “out there” !!

The update takes 30 seconds and doesn’t break anything, IF you do the update and IF you are on a version of Linux that has been patched.

the issue has been outstanding for many many years, and known about for over a year by the security community, apparently Redhat filed it as something to look into about a year ago. So, all of the above within the context of “assuming you’ve not already been pwned”. If it took Yahoo engineers a couple of days to engineer an exploit, and given “others” have known about the exploit for over a year … does that not send a shiver down your spine???