Ok, for anyone who missed it, one of the core Linux maintenance teams appears to have screwed up really badly. As a result, you should really consider upgrading your system ASAP. You will hear people say “yeah, but it’s difficult to implement the exploit”, and they may be correct. However, once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.
The versions you see will depend on the version of LIBC6 on your system. Check with your OS vendor to make sure the versions you have are 'safe', again the Ubuntu page is here; http://www.ubuntu.com/usn/usn-2900-1/
Mark, many thanks for notification. As it happens I’m in the habit of using the Refresh tab on Update Manager every couple of days regardless of whether or not updates are flagged by ! on the toolbar. Probably a bit ‘belt and braces’ for some but works for me…
Hmmm.
I’m a little worried about the sanity of Linux users in general here. :
MP posted this at 11:00 am as “Linux maintenance teams appears to have screwed up really badly” and “once someone does produce a comprehensive exploit, my guess is that many (most!) home Linux installations are open.”
Then a mere 10 hours later MG tells us that the problem has been patched and rolled out. The update took 2 minutes and didn’t break anything.
I think paranoia is running a little high there.
From a social standpoint I find it interesting that when someone found this problem, instead of exploiting it like any normal (windoze user) person with the skills to find it it was reported for the good of all.
Big thumbs up from me for that, we need more people like this in the world.
You may note from this article - the exploit is now “out there” !!
The update takes 30 seconds and doesn’t break anything, IF you do the update and IF you are on a version of Linux that has been patched.
the issue has been outstanding for many many years, and known about for over a year by the security community, apparently Redhat filed it as something to look into about a year ago. So, all of the above within the context of “assuming you’ve not already been pwned”. If it took Yahoo engineers a couple of days to engineer an exploit, and given “others” have known about the exploit for over a year … does that not send a shiver down your spine???