New Linux Vulnerability CVE-2015-7547

[Quetzal]

Just came across this article on 'The Register'

Looks as if it might affect Mint as well.

http://www.theregister.co.uk/2016/02/16 ... rnability/

[Habitual]

Intriguingly, this bug was reported in July last year...

[Quetzal]

Just sent me scrambling back to check the article's date WAS 2016 and not 2015 - Phew!

[Habitual]

https://sourceware.org/ml/libc-alpha/20 ... 00416.html

and is a legitimate cause for concern.
I'd expect a patch/update in a day or so.

[Quetzal]

It's also reported in Ars Technica

http://arstechnica.co.uk/security/2016/ ... ulnerable/

[Habitual]

the fix is "in"

Code: Select all

apt-get update && apt-get upgrade

[karlchen]

Hello, Habitual.

Before someone else does, let me correct your recommendation to be:
Update Manager will offer the relevant libc6 update automatically, without evading the Linux Mint update safety levels. Make sure that the enabled safety levels in Update Manager are at minimum [1], [2] and [3] (default). Enabling the option to trust and install security updates always might be helpful, too.

Most important information:
The bugfixed libc6 library is available for download and installation: USN-2900-1: GNU C Library vulnerability

Cheers,
Karl

[Habitual]

Level[123] are default on most (all?) Graphical update utilities, no?
I'm huge fan of defaults.
but "Always Select and security updates" must be enabled prior to.

What about c-line?
apt-get upgrade is level[123] with Trust?

[lexon]

Have fun.

http://www.computerworld.com/article/30 ... patch.html

[Skaendo]

Apparently it's not that big of a deal since the next release (very soon, days?) will address this issue:

https://sourceware.org/ml/libc-alpha/20 ... 00420.html

[LinuxJim]

Risk to me? 0%. Risk to a multi-billion-dollar national corporation? Closer to 1%. Not worried.

[Skaendo]

Pushed to master:

https://sourceware.org/ml/libc-alpha/20 ... 00425.html

Start the builds.......

[Moem]

I'm on default settings and I got the patch. No need to work around the Updater. Just use the Force of the Gui, Luke.

[Moem]

The update arrived here two hours ago.

[karlchen]

<moderator on>
As the thread "Linux patch" was a just a reprise of the already existing thread "New Linux Vulnerability CVE-2015-7547", it has been merged into the existing thread about "New Linux Vulnerability CVE-2015-7547"
</moderator off>

[MajorLunaC]

I was wondering if the USN-2900-1: GNU C Library vulnerability (Bug CVE-2015-7547) has been fixed? I've only seen Ubuntu mention of it, so I hope it got passed down to Mint as well. I did see an "eglibc" update yesterday, I think, but I thought Debian switched back to glibc back in 2014. I do see several "eglibc" items in Synaptic.

http://www.ubuntu.com/usn/usn-2900-1/
https://threatpost.com/magnitude-of-gli ... ht/116296/

Is there anything users need to do for the fix?

[karlchen]

<moderator on>
post will be moved to the existing thread on "New Linux Vulnerability CVE-2015-7547". - This should answer the question by the way. - Done.
</moderator off>

[Skaendo]

A funny little twist in this story, unrelated to LM, but relates to Slackware Linux,

The Slackware BDFL (Pat Volkerding) had a patch that fixed this issue many years ago that was used by openSUSE and Debian, the difference is that PV kept applying the patch even after receiving emails asking him to remove it. Slackware has thus not been affected by this vulnerability.

https://www.linuxquestions.org/question ... ost5501886

[jiawen]

I'm running LM17 Qiana and haven't knowingly seen a patch for this yet. Should I be concerned? Is there a way to check in my update history whether I've already installed the patch without realizing it?

[karlchen]

Hello, jiawen.

In order to verify whether your system has received the libc6 security update, launch Synaptic Package Manager from the Mint Menu. Then proceed like illustrated in the screenshot below:


(Click screenshot to enlarge. Press <Alt><Cursor_left> to return here.)

• Tell Synaptic to list installed software packages only. (left hand side, click on button [Installed])
• (1) - As "Quick filter" enter "libc6" (without the double quotes).
• (2) - Should list libc6 - current version: 2.19-0ubuntu-6.7. Mark it.
• (3) - Click on the button [Get Changelog] at the bottom.
• (4) - Will open the changelog window.
• Provided the "CVE-2015-7547" is mentioned as fixed, then your system has received the security update.
  (I only marked it once in the screenshot, but as can be spotted, it is mentioned as fixed here.)

HTH,
Karl