CentOS and Debian - upgrade your GNU C Library immediatly!

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

CentOS and Debian - upgrade your GNU C Library immediatly!

Post by josh »

From my web host (steadfast.net):

---------- Forwarded message ----------
From: Kevin Stange <support@steadfast.net>
Date: Thu, Oct 21, 2010 at 1:16 PM
Subject: Security Advisory: Major Linux glibc Vulnerability


A vulnerability has recently been discovered in the GNU C Library for Linux which affects modern Linux distributions including CentOS and Debian. This vulnerability is serious and may allow a remote exploit or local user to cause privilege escalation, resulting in root access to your server. A working example of the exploit has already been publicly disclosed, thus no advanced knowledge of the GNU C Library is required to gain root access once shell access has been obtained on the target system.

The CVE entry for this vulnerability may be found here:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2010-3847

CentOS 4, FreeBSD and Windows users are unaffected by these specific vulnerabilities.

It is especially important to upgrade your glibc packages if your system services multiple users via shell accounts, jail or container-based virtualization, or dynamic web sites. Updates which fix these and/or several other security issues and bugs are available immediately for most systems. The following information describes the updates available for supported Linux distributions.

If you are a shared hosting or backup service customer, you will not need to worry about this advisory as we have applied fixes for these systems already. If you are a VPS customer running CentOS 5 or Debian, your container is vulnerable and you must patch it to close the vulnerability. The notes below apply to a VPS in the same way as a physical server.

If you have any questions or need assistance, please open a support ticket and we will be happy to assist you.

===============
CentOS
===============

This vulnerability affects only systems running CentOS 5. CentOS 4 and older do not contain the feature that permits this exploit to occur.

Red Hat and CentOS have patched this vulnerability as of October 21, 2010.

To verify your system is running the correct glibc package, run the following command:

rpm -q glibc

The version should be greater than or equal to the following:

CentOS 5: glibc-2.5-49.el5_5.6

If your version does not match, please run the following command and ensure an update to the glibc package is included:

yum clean metadata
yum update glibc

If no update is available, please try the following command, then repeat the commands above:

wget -O- mirror.steadfast.net/mirrorize | sh

This commands will force your server to use our mirror server, which is known to already contain the updated glibc version.

After the upgrade processes, your system will be protected against the vulnerability. There is no need to reboot your system as the update will take effect immediately.

Red Hat published the following advisories regarding this vulnerability:

CentOS 5: https://rhn.redhat.com/errata/RHSA-2010-0787.html

===============
Debian
===============

This vulnerability affects Debian Etch, Lenny, as well as the testing and unstable distributions. However, there is no known published exploit that can be used to trigger it available at this time, which means the update is marginally less urgent on Debian systems.

Debian has not yet patched this vulnerability in any releases. We will provide additional information when it becomes available.

Debian published the following advisory regarding this vulnerability:

http://security-tracker.debian.org/trac ... -2010-3847

Based on information available, if you are running Debian Etch (4.0), your system is vulnerable to this specific issue and to multiple previous security flaws and no update will be available. You should consider a "dist-upgrade" to migrate your system to Lenny to continue to obtain security patches.

===============
Other
===============

If you are running Fedora or Ubuntu, you need to upgrade to one of the two most recent releases of your distribution (or to an LTS release, in the case of Ubuntu) by following the upgrade directions listed on the vendor's web site to obtain an appropriate glibc upgrade. Each of these vendors ends the life of each release in 12 to 18 months and security fixes are not available after the lifetime expires, but these distributions provide upgrade paths to newer editions. Please note we no longer offer support for either of these distributions.

If your server runs another distribution of Linux, please contact your Linux vendor for directions on how to obtain an updated glibc package.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: CentOS and Debian - upgrade your GNU C Library immediat

Post by Benjamin »

Thanks for the heads up Josh.
Post Reply