Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Status of GHOST vulnerability? CVE-2015-0235
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
planet-admin
Apprentice
Apprentice


Joined: 27 Mar 2004
Posts: 213
Location: Boise, ID

PostPosted: Wed Jan 28, 2015 12:21 am    Post subject: Status of GHOST vulnerability? CVE-2015-0235 Reply with quote

As noted all over the internet today:

http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/
http://www.openwall.com/lists/oss-security/2015/01/27/9
http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/

There is a significant vulnerability. While we know that Gentoo is a rolling release, it would be good to know exactly what version of glibc we can consider as having been safe if it or greater is installed. What is the official stance on this?

Thanks,
Michael
_________________
Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Web: http://www.GlobalSystemsConsulting.com
Back to top
View user's profile Send private message
saellaven
Guru
Guru


Joined: 23 Jul 2006
Posts: 478

PostPosted: Wed Jan 28, 2015 12:43 am    Post subject: Reply with quote

>=sys-libs/glibc-2.18 is safe. 2.19-r1 is stable on all platforms except mips (where no glibc is stable)
Back to top
View user's profile Send private message
P1neapple
n00b
n00b


Joined: 18 Jul 2014
Posts: 35

PostPosted: Wed Jan 28, 2015 1:23 am    Post subject: Reply with quote

So we are safe if we use 2.19-r1? Good.
_________________
Gentoo currently running in Virtualbox, hoping to switch to real hardware soon...
Back to top
View user's profile Send private message
titanofold
Developer
Developer


Joined: 30 Dec 2003
Posts: 235
Location: Bryson City, NC USA

PostPosted: Wed Jan 28, 2015 11:14 am    Post subject: Reply with quote

P1neapple wrote:
So we are safe if we use 2.19-r1? Good.


You are safe if you're using 2.18 even.
_________________
The best things in life are free.
Guy-1: Surely, you will fold with me...
Guy-2: Alright, but don't call me Shirley
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3349

PostPosted: Wed Jan 28, 2015 1:04 pm    Post subject: Reply with quote

titanofold wrote:
P1neapple wrote:
So we are safe if we use 2.19-r1? Good.


You are safe if you're using 2.18 even.


Back in August I jumped from 2.17 to 2.19. Someone else on Phoronix said that 2.19 actually became stable on July 29.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
shanew
n00b
n00b


Joined: 16 Sep 2006
Posts: 34
Location: Austin, TX

PostPosted: Wed Jan 28, 2015 9:07 pm    Post subject: Reply with quote

My impression, though, is that anything statically compiled with a vulnerable version of glibc will still be vulnerable regardless of the glibc version currently installed on your system. Admittedly, statically compiled packages are probably pretty rare on a "normal" computer, but embedded systems or installs that need to squeeze into small footprints might be another story.

So, two questions: 1. Can someone confirm or deny my impression? 2. How would one go about finding statically linked binaries on a gentoo system?

Code:
equery h static
seemed like a good start, but that only tells me whether a package has such a flag, not whether it's set.
Code:
eix '-I*' -e --installed-with-use static --format '<installedversions:NAMEVERSION>'
seems to be closer, but I wonder if I'm still missing something?

Oh, and I guess even with that I'd like a way to check what version of glibc it was compiled against, and I don't even know where to start with that.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 968

PostPosted: Thu Jan 29, 2015 3:44 pm    Post subject: Reply with quote

Why isn't this here:

http://www.gentoo.org/security/en/glsa/index.xml
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12619

PostPosted: Fri Jan 30, 2015 2:36 am    Post subject: Reply with quote

grant123 wrote:
Why isn't this here:

http://www.gentoo.org/security/en/glsa/index.xml
Since the most recent entry currently on that page is from December, perhaps the maintainer for that page simply has not had time to update it. Also, as a rolling release distribution, any well maintained Gentoo system will already have upgraded to the fixed glibc version before the bug was announced as a security issue, so a GLSA is far less urgent than in the case of bugs like Heartbleed and Shellshock where the default configuration of an updated system was easily vulnerable at the time those bugs were announced.
Back to top
View user's profile Send private message
F_
Tux's lil' helper
Tux's lil' helper


Joined: 31 Dec 2006
Posts: 133

PostPosted: Fri Jan 30, 2015 7:48 pm    Post subject: Reply with quote

See the Gentoo vulnerability discussions here:


Best Regards,
F_
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum