Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GHOST vulnerability
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ctcp
n00b
n00b


Joined: 30 Jan 2015
Posts: 2

PostPosted: Fri Jan 30, 2015 6:55 pm    Post subject: GHOST vulnerability Reply with quote

Hi, when i run the following command:

Code:
ldd --version


I see that my version of Libc is 2.3.6

Code:
ldd (GNU libc) 2.3.6
Copyright (C) 2005 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.


Is this version vulnerable?. And... if this is vulnerable, i do i fix it?

Edit:

My Gentoo version is:

Code:
Gentoo Base System version 1.6.14


Thanks.
Back to top
View user's profile Send private message
F_
Tux's lil' helper
Tux's lil' helper


Joined: 31 Dec 2006
Posts: 133

PostPosted: Fri Jan 30, 2015 7:44 pm    Post subject: Reply with quote

You should be fine. Take a look at the following bug list entries:


Versions prior to 2.20 are vulnerable to this issue.


Best Regards,
F_
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6972
Location: Saint Amant, Acadiana

PostPosted: Fri Jan 30, 2015 7:51 pm    Post subject: Reply with quote

I wouldn't say ctcp is fine. The box he is referring to seems to be severely out of date. Which means lots of unpatched vulnerabilities.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Jan 30, 2015 8:08 pm    Post subject: Reply with quote

If you have app-portage/gentoolkit installed,

Code:
$ glsa-check -l affected


But yes an almost 10 year old box there are probably a lot of potential issues... and also a candidate for fresh reinstall...
Back to top
View user's profile Send private message
ctcp
n00b
n00b


Joined: 30 Jan 2015
Posts: 2

PostPosted: Fri Jan 30, 2015 8:23 pm    Post subject: Reply with quote

This is the result:

Code:
 # glsa-check -l affected


!!! /etc/make.profile is not a symlink and will probably prevent most merges.
!!! It should point into a profile within /usr/portage/profiles/
!!! (You can safely ignore this message when syncing. It's harmless.)


Traceback (most recent call last):
  File "/usr/bin/glsa-check", line 148, in ?
    myglsa = Glsa(x, glsaconfig)
  File "/usr/lib/gentoolkit/pym/glsa.py", line 414, in __init__
    self.read()
  File "/usr/lib/gentoolkit/pym/glsa.py", line 432, in read
    self.parse(urllib.urlopen(myurl))
  File "/usr/lib/gentoolkit/pym/glsa.py", line 470, in parse
    self.description = getText(myroot.getElementsByTagName("description")[0], fo                    rmat="xml")
  File "/usr/lib/gentoolkit/pym/glsa.py", line 233, in getText
    return str(rValue)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u2019' in position 8                    : ordinal not in range(128)
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Sat Jan 31, 2015 12:17 am    Post subject: Reply with quote

You need to emerge --sync before running glsa-check. And hope that the out of date components still work...

Also need to fix your make.profile link since it appears your old profile has now been deleted? eselect profile list; eselect profile set XYZ ...
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sat Jan 31, 2015 12:19 am    Post subject: Reply with quote

GHOST is the least of your problems right now.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6972
Location: Saint Amant, Acadiana

PostPosted: Sat Jan 31, 2015 12:30 am    Post subject: Reply with quote

Alright, lets spell it out.

Unless you want all the fun of fractional upgrades (you really must know what you are doing) the only alternative is backing up your configuration and re-installing.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Sat Jan 31, 2015 12:32 am    Post subject: Reply with quote

Ant P. wrote:
GHOST is the least of your problems right now.

I'm sure he'll finally notice the hole he dug and freak out when he sees glsa-check return pages upon pages of vulnerabilities :D
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
F_
Tux's lil' helper
Tux's lil' helper


Joined: 31 Dec 2006
Posts: 133

PostPosted: Sat Jan 31, 2015 12:36 am    Post subject: Reply with quote

F_ wrote:
You should be fine. Take a look at the following bug list entries:


Versions prior to 2.20 are vulnerable to this issue.


Best Regards,
F_


Wow -- I totally missed that he was running 2.3..... not 2.30. Yeah, ctcp, you're definitely going to have to upgrade because you are about 27 versions of glibc behind.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum