Page 1 of 2
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 9:35 am
by cayaraa
Is it know if zimbra has any binary files that have statically linked glibc or will updating the host catch all the links to the system glibc?
I've checked nginx and postfix and both of them seems to be using system:
$ ldd /opt/zimbra/nginx/sbin/nginx |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007f12deda2000)
$ ldd /opt/zimbra/postfix/sbin/postfix |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007fc3f9e0e000)
https://isc.sans.edu/forums/diary/New+C ... OST/19237/
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 9:56 am
by cayaraa
Sounds like it might not be as commonly exploitable as the first stuff I was reading lead me to believe:
"Here is a list of potential targets that we investigated (they all call
gethostbyname, one way or another), but to the best of our knowledge,
the buffer overflow cannot be triggered in any of them:
apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd."
http://www.openwall.com/lists/oss-secur ... 5/01/27/18
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 11:59 am
by jorgedlcruz
Hi cayaraa,
Is a critical issue and we need to update the OS to be sure that you are not vulnerable for other applications.
Best regards
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 12:10 pm
by mhlevy
Thank you for the information, but I do have a question regarding the update. Ubuntu recommends using the following commands:
sudo apt-get clean
sudo apt-get update
sudo apt-get dist-upgrade
Will this be safe to run on Ubuntu linux servers, as far as not "disturbing" the Zimbra installation?
Thank you for your time!
Mark
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 12:16 pm
by jorgedlcruz
Hi mhlevy,
If you run a dist-upgrade you will upgrade all the Ubuntu to the next version. You need to run the next steps:
sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
Remember to do some backup or snapshot before.
Best regards
glibc Ghost vulnerability
Posted: Wed Jan 28, 2015 12:34 pm
by mhlevy
Thanks very much. That could have been a disaster, and thankfully, we are running the Ubuntu servers on Vmware, so snapshots will be taken before.
glibc Ghost vulnerability
Posted: Thu Jan 29, 2015 5:55 am
by Paladinemishakal
Hi All,
Can we do an "apt-get install --only-upgrade libc-bin libc-dev-bin libc6 libc6-dev" or "apt-get upgrade" then the "apt-get dist-upgrade"?
Regards.
glibc Ghost vulnerability
Posted: Thu Jan 29, 2015 6:00 am
by jorgedlcruz
Hi Paladinemishakal,
With an apt-get update and apt-get upgrade you need to be in the proper version of libc packages, don't do a dist-upgrade, you will upgrade your entire Ubuntu to the next version, 10 to 12, 12 to 14.
Best regards
glibc Ghost vulnerability
Posted: Thu Jan 29, 2015 7:53 am
by dbayer
Just to be perfectly clear. We should run ONLY
sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
and nothing else, correct?
In addition it appears that 14.04 and beyond are NOT effected by this vulneribility
http://www.ubuntu.com/usn/usn-2485-1/
Thanks,
Daniel
glibc Ghost vulnerability
Posted: Thu Jan 29, 2015 7:55 am
by jorgedlcruz
Yes,
Try with this commands, and check if your affected packages are fixed after launch these commands, should work.
Best regards