Welcome!

The kernel problem with recent updates has been solved. Find the solution here

Important information
-- Required MX 15/16 Repository Changes
-- Information on torrent hosting changes
-- Information on MX15/16 GPG Keys
-- Spectre and Meltdown vulnerabilities

News
-- Introducing our new Website
-- MX Linux on social media: here

Current releases
-- MX-18.3 Point Release release info here
-- Migration Information to MX-18 here
-- antiX-17.4.1 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

glibc security hole

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Post Reply
User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Joined: Sat Dec 01, 2007 7:53 pm

glibc security hole

#1

Post by sagax » Tue Feb 03, 2015 1:23 pm

Ghost, as it has been dubbed, is a buffer overflow issue that affects any system running glibc-2.2 or earlier. The official function in the GNU C Library that allows for the buffer overflow is _nss_hostname_digits_dots().

Will an upgrade be released to the repository for older versions of Mepis?

User avatar
kmathern
Forum Veteran
Forum Veteran
Posts: 9604
Joined: Wed Jul 12, 2006 2:26 pm

Re: glibc security hole

#2

Post by kmathern » Tue Feb 03, 2015 1:37 pm

Wheezy had some libc6 (which is from the eglibc source package) updates last week that I think address that vulnerability. MX-14 and Mepis 12 would've received those updates.

Here's the changelog entry:

Code: Select all

eglibc (2.13-38+deb7u7) wheezy-security; urgency=medium

  * debian/patches/any/cvs-gethostbyname.diff: new patch from upstream
    to fix a buffer overflow in gethostbyname (CVE-2015-0235).
  * debian/patches/any/cvs-iconvdata-ibm930.diff: new patch from upstream to
    fix a possible crash when using the iconv function to convert IBM930
    encoded data (CVE-2012-6656).
  * debian/patches/any/cvs-iconvdata-ibm.diff: new patch from upstream to fix
    fix a possible crash when using the iconv function to convert IBM933, 
    IBM935, IBM937, IBM939, IBM1364 encoded data (CVE-2014-6040).
  * debian/patches/any/cvs-wordexp.diff: new patch from upstream to fix a
    command execution in wordexp() with WRDE_NOCMD specified (CVS-2014-7817).

 -- Aurelien Jarno <aurel32@debian.org>  Tue, 27 Jan 2015 00:38:49 +0100
sagax wrote:...Will an upgrade be released to the repository for older versions of Mepis?
For Mepis 11, I think if you have the Squeeze LTS repo enabled, that it probably also got those updates, but I would need to doublecheck.



edit:
For Mepis 11 it looks like the 2.11.3-4+deb6u4 version of libc6 (eglibc) has been patched for that vulnerability

Code: Select all

eglibc (2.11.3-4+deb6u4) squeeze-lts; urgency=medium

  * Non-maintainer upload by the Squeeze LTS team.
  * debian/patches/any/cvs-gethostbyname.diff: new patch from upstream
    to fix a buffer overflow in gethostbyname (CVE-2015-0235). 

 -- Holger Levsen <holger@debian.org>  Tue, 27 Jan 2015 23:57:55 +0100
See the Mepis 11 sources.list wiki page if you haven't yet added the squeeze-lts repo: http://www.mepis.org/docs/en/index.php? ... t_MEPIS_11

User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Joined: Sat Dec 01, 2007 7:53 pm

Re: glibc security hole

#3

Post by sagax » Thu Feb 05, 2015 4:48 pm

Thank you. esp. the correct sources.list

User avatar
sagax
Forum Novice
Forum  Novice
Posts: 19
Joined: Sat Dec 01, 2007 7:53 pm

Re: glibc security hole

#4

Post by sagax » Thu Feb 26, 2015 6:28 pm

Many thanks to all.

Post Reply

Return to “Security”