glibc Ghost vulnerability

cayaraa · Post by **cayaraa** » Wed Jan 28, 2015 9:35 am

Is it know if zimbra has any binary files that have statically linked glibc or will updating the host catch all the links to the system glibc?

I've checked nginx and postfix and both of them seems to be using system:
$ ldd /opt/zimbra/nginx/sbin/nginx |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007f12deda2000)
$ ldd /opt/zimbra/postfix/sbin/postfix |grep "libc."
libc.so.6 => /lib64/libc.so.6 (0x00007fc3f9e0e000)

https://isc.sans.edu/forums/diary/New+C ... OST/19237/

cayaraa · Post by **cayaraa** » Wed Jan 28, 2015 9:56 am

Sounds like it might not be as commonly exploitable as the first stuff I was reading lead me to believe:

"Here is a list of potential targets that we investigated (they all call

gethostbyname, one way or another), but to the best of our knowledge,

the buffer overflow cannot be triggered in any of them:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,

nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,

pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,

vsftpd, xinetd."

http://www.openwall.com/lists/oss-secur ... 5/01/27/18

jorgedlcruz · Post by **jorgedlcruz** » Wed Jan 28, 2015 11:59 am

Hi cayaraa,
Is a critical issue and we need to update the OS to be sure that you are not vulnerable for other applications.

Best regards

mhlevy · Post by **mhlevy** » Wed Jan 28, 2015 12:10 pm

Thank you for the information, but I do have a question regarding the update. Ubuntu recommends using the following commands:

sudo apt-get clean

sudo apt-get update

sudo apt-get dist-upgrade

Will this be safe to run on Ubuntu linux servers, as far as not "disturbing" the Zimbra installation?

Thank you for your time!

Mark

jorgedlcruz · Post by **jorgedlcruz** » Wed Jan 28, 2015 12:16 pm

Hi mhlevy,

If you run a dist-upgrade you will upgrade all the Ubuntu to the next version. You need to run the next steps:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade

Remember to do some backup or snapshot before.

Best regards

mhlevy · Post by **mhlevy** » Wed Jan 28, 2015 12:34 pm

Thanks very much. That could have been a disaster, and thankfully, we are running the Ubuntu servers on Vmware, so snapshots will be taken before.

Paladinemishakal · Post by **Paladinemishakal** » Thu Jan 29, 2015 5:55 am

Hi All,

Can we do an "apt-get install --only-upgrade libc-bin libc-dev-bin libc6 libc6-dev" or "apt-get upgrade" then the "apt-get dist-upgrade"?

Regards.

jorgedlcruz · Post by **jorgedlcruz** » Thu Jan 29, 2015 6:00 am

Hi Paladinemishakal,

With an apt-get update and apt-get upgrade you need to be in the proper version of libc packages, don't do a dist-upgrade, you will upgrade your entire Ubuntu to the next version, 10 to 12, 12 to 14.

Best regards

dbayer · Post by **dbayer** » Thu Jan 29, 2015 7:53 am

Just to be perfectly clear. We should run ONLY

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

and nothing else, correct?
In addition it appears that 14.04 and beyond are NOT effected by this vulneribility
http://www.ubuntu.com/usn/usn-2485-1/

Thanks,
Daniel

jorgedlcruz · Post by **jorgedlcruz** » Thu Jan 29, 2015 7:55 am

Yes,

Try with this commands, and check if your affected packages are fixed after launch these commands, should work.

Best regards