Welcome!

Please read this important information about MX sources lists.
News
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17 beta 2 release info here
  • MX-16.1 release info here
  • antiX-17 release info here
    New users
    • Please read this first, and don't forget to add system and hardware information to posts!
    • Read Forum Rules

glibc security hole

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Age: 74
Joined: Sat Dec 01, 2007 7:53 pm

glibc security hole

#1 Postby sagax » Tue Feb 03, 2015 1:23 pm

Ghost, as it has been dubbed, is a buffer overflow issue that affects any system running glibc-2.2 or earlier. The official function in the GNU C Library that allows for the buffer overflow is _nss_hostname_digits_dots().

Will an upgrade be released to the repository for older versions of Mepis?

User avatar
kmathern
Forum Veteran
Forum Veteran
Posts: 9036
Age: 59
Joined: Wed Jul 12, 2006 2:26 pm

Re: glibc security hole

#2 Postby kmathern » Tue Feb 03, 2015 1:37 pm

Wheezy had some libc6 (which is from the eglibc source package) updates last week that I think address that vulnerability. MX-14 and Mepis 12 would've received those updates.

Here's the changelog entry:

Code: Select all

eglibc (2.13-38+deb7u7) wheezy-security; urgency=medium

  * debian/patches/any/cvs-gethostbyname.diff: new patch from upstream
    to fix a buffer overflow in gethostbyname (CVE-2015-0235).
  * debian/patches/any/cvs-iconvdata-ibm930.diff: new patch from upstream to
    fix a possible crash when using the iconv function to convert IBM930
    encoded data (CVE-2012-6656).
  * debian/patches/any/cvs-iconvdata-ibm.diff: new patch from upstream to fix
    fix a possible crash when using the iconv function to convert IBM933,
    IBM935, IBM937, IBM939, IBM1364 encoded data (CVE-2014-6040).
  * debian/patches/any/cvs-wordexp.diff: new patch from upstream to fix a
    command execution in wordexp() with WRDE_NOCMD specified (CVS-2014-7817).

 -- Aurelien Jarno <aurel32@debian.org>  Tue, 27 Jan 2015 00:38:49 +0100


sagax wrote:...Will an upgrade be released to the repository for older versions of Mepis?
For Mepis 11, I think if you have the Squeeze LTS repo enabled, that it probably also got those updates, but I would need to doublecheck.



edit:
For Mepis 11 it looks like the 2.11.3-4+deb6u4 version of libc6 (eglibc) has been patched for that vulnerability

Code: Select all

eglibc (2.11.3-4+deb6u4) squeeze-lts; urgency=medium

  * Non-maintainer upload by the Squeeze LTS team.
  * debian/patches/any/cvs-gethostbyname.diff: new patch from upstream
    to fix a buffer overflow in gethostbyname (CVE-2015-0235).

 -- Holger Levsen <holger@debian.org>  Tue, 27 Jan 2015 23:57:55 +0100

See the Mepis 11 sources.list wiki page if you haven't yet added the squeeze-lts repo: http://www.mepis.org/docs/en/index.php?title=Sources.list_MEPIS_11

User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Age: 74
Joined: Sat Dec 01, 2007 7:53 pm

Re: glibc security hole

#3 Postby sagax » Thu Feb 05, 2015 4:48 pm

Thank you. esp. the correct sources.list

User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Age: 74
Joined: Sat Dec 01, 2007 7:53 pm

Re: glibc security hole

#4 Postby sagax » Thu Feb 26, 2015 6:28 pm

Many thanks to all.


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest