Skip to main content

New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)

Comments

14 comments

  • Infopro
    Details have been posted here: CVE-2015-0235 GHOST - cPanel Knowledge Base
    0
  • Venomous21
    I've read all these articles and I'm a bit confused. I run x86_64 centos 5.11. I ran the rpm -q --changelog glibc | grep CVE-2015-0235 command which returned no results. I also ran yum upgrade, which found no updated packages, even though I received a mailing from CentOS at 6pm EST today (about 1hr20min ago) referencing this article, which is obviously redhat - - - Updated - - - I ran the latest updated commands in your article: yum clean all ; yum update glibc rpm -q --changelog glibc | grep CVE-2015-0235 Nothing updated and the command did not mention it was installed. Will check a couple other servers now.
    0
  • Venomous21
    Quick update, CentOS is finally pushing out the updates to the mirrors.
    0
  • adtastichosting
    ]Quick update, CentOS is finally pushing out the updates to the mirrors.

    I have the same issue on 2 servers that after running yum clean all ; yum update glibc says no packages are marked for update. I was able to update our 3 dedicated servers no problem but these 2 are older VPS servers running centos 5.9. Any comments or ideas here?
    0
  • avibodha
    Some WHM / cPanel vendors (wiredtree) point to their Centos repo instead of using mirrors. To get the update now, point your Centos base repo to the main one and comment out theirs. in /etc/yum.repos.d/CentOS-Base.repo, under [Updates], comment out this line (and any mirrorlist= lines): # baseurl=http://mirror.wiredtree.com/centos/$releasever/os/$basearch/ add baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ then do yum update glibc
    0
  • adtastichosting
    Thanks for the info. Actually as I reread the article ([url=http://www.zdnet.com/article/critical-linux-security-hole-found/]GHOST, a critical Linux security hole, is revealed | ZDNet) it looks like centos 5 might not actually be vulnerable to this as the article states centos 6 and 7 and only servers built with glibc-2.2. Am I right?
    0
  • andyf
    ]Details have been posted here: CVE-2015-0235 GHOST - cPanel Knowledge Base

    It would appear (would be nice to get confirmation from cPanel on this) that the configuration utilised by cPanel is not vulnerable to this particular Exim PoC shown by Qualys, as the HELO hostname provided by the client is not verified by DNS resolution at any stage. As for the remainder of Exim DNS operations, this was their brief take on that: We believe, based on rather hurried analysis, that every other configuration option in Exim which might use "gethostbyname()" will use a newer set of functions if available, and not explicitly disabled by your OS packagers when building Exim.
    Nevertheless, libc is used everywhere and you absolutely should update glibc packages and restart all services that use libc (or, if possible, a more comprehensive approach is to restart the system).
    0
  • jdlightsey
    It's very difficult to be certain with EXIM. cPanel's configurations does not set the particular EXIM configuration options that Qualys focused on, but cPanel does heavily customize EXIM and hooks lots of custom functionality into it. It's best to assume that between cPanel's Perl code hooked into Exim, SpamAssassin, ClamAV, Mailman, and common custom email filters, that injection points in the email subsystems will be found once the proof of concept code is released.
    0
  • StuartMacfarlane
    If you are using PHP 5.4, 5.5 or even 5.6 and have any applications using the "gethostbyname" function then these would also be considered vulnerable subject to penetration testing being done. CentOS has not yet released the patch however RedHat has so it won't be long till it comes down from the upstream.
    0
  • jdlightsey
    CentOS pushed their updated packages out to the mirrors last night. [url=http://lists.centos.org/pipermail/centos-announce/2015-January/date.html]The CentOS-announce January 2015 Archive by date
    0
  • kalexanakis
    Hello I run rpm -q --changelog glibc | grep CVE-2015-0235
    and I got - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533)
    at all my cpanel servers, so they are already patched. Do I have to restart every system nevertheless?
    0
  • StuartMacfarlane
    Because this has updated glibc it is being advised that a reboot happens of the server to make sure all running applications notice the patch.
    0
  • gdprojects
    Hi I'm not sure if I'm protected either: [~]# ldd --version ldd (GNU libc) 2.12 Copyright (C) 2010 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper. Have run: # yum clean all # yum update # reboot Still showing 2.12 as a version number.
    0
  • quizknows
    You are probably fine but check your RPM change log to be sure:
    [root@new ~]# rpm -q --changelog glibc |head * Mon Jan 19 2015 Siddhesh Poyarekar - 2.12-1.149.5 - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533). * Wed Dec 10 2014 Carlos O'Donell - 2.12-1.149.4 - Fix recursive dlopen() (#1173469). * Tue Dec 09 2014 Siddhesh Poyarekar - 2.12-1.149.3 - Fix typo in res_send and res_query (#rh1172023). * Tue Dec 09 2014 Siddhesh Poyarekar - 2.12-1.149.2
    As long as you see the line with CVE-2015-0235 in the output that means that your version is patched (backported) for this vulnerability. Alternate command:
    [root@new ~]# rpm -q --changelog glibc |grep CVE-2015-0235 - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533). - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
    0

Please sign in to leave a comment.