Announcement

**Zan Lynx** · 27 January 2015, 09:22 PM

Originally posted by eydee View Post

If you're a regular person you're protected anyway as no one knows you exist and no one wants to attack your rig. It's the enterprise users who have to be afraid, and they are the ones usually running software from the 80'-s.

In that case they should also be safe, because software in the 80s wasn't using DNS. Instead of using DNS they'd be using an /etc/hosts file containing every IP on the entire Internet. It used to be a massive download. Several megabytes!

**Guest** · 28 January 2015, 12:17 AM

Originally posted by eydee View Post

It's a good thing they don't keep these vulnerabilities a secret and don't just patch them silently. Now I'm off to attacking computers the whole night...

If you have even read the article, in fact they did patch it silently, the vulnerabilty affect old "stables" which haven't gotten patch backported.
Also, they have corrected this silently once they realised it's a security bug via updates before releasing it into the wild. Basically.

1) people who update often have the patch for 3 years
2) people who have stable releases got their backported patch week ago (before it was released into the wild)
3) people who do neither MIGHT be affected.

I don't think it's "we are all gonna die" level bug mostly because embedded stuff (which won't get updated - ever) doesn't use glibc.

**mike4** · 28 January 2015, 03:05 AM

Ubuntu 14.04 is fine? Can't see which glibc is used.
Thanks

**konserw** · 28 January 2015, 03:38 AM

@mike4
IIRC:
$ dpkg -l |grep glibc

**mike4** · 28 January 2015, 04:17 AM

Thanks but that returns nothing. Also in Synaptic nothing but libglib 2.4

**nanonyme** · 28 January 2015, 04:20 AM

Originally posted by mike4 View Post

Thanks but that returns nothing. Also in Synaptic nothing but libglib 2.4

Try also with just libc. Debian/Ubuntu camp is notorious in making up their own names instead of following upstream

**eydee** · 28 January 2015, 04:42 AM

Originally posted by tpruzina View Post

If you have even read the article, in fact they did patch it silently, the vulnerabilty affect old "stables" which haven't gotten patch backported.
Also, they have corrected this silently once they realised it's a security bug via updates before releasing it into the wild. Basically.

1) people who update often have the patch for 3 years
2) people who have stable releases got their backported patch week ago (before it was released into the wild)
3) people who do neither MIGHT be affected.

I don't think it's "we are all gonna die" level bug mostly because embedded stuff (which won't get updated - ever) doesn't use glibc.

Why so sour? Why so serious? No able to recognize a joke but still not in jail or beaten up? This world is indeed cruel...

**joh22n** · 28 January 2015, 04:46 AM

Originally posted by mike4 View Post

Ubuntu 14.04 is fine? Can't see which glibc is used.

http://www.ubuntu.com/usn/usn-2485-1/

14.04 is fine, 12.04 and 10.04 are not.

**l_bratch** · 28 January 2015, 05:50 AM

Originally posted by phred14 View Post

Gentoo moved from glibc-2.17 to glibc-2.19 back in early August 2014. (It might have even been late July, and early August was just my upgrade schedule.) This is stable, not ~arch.

29th July 2014!

**curaga** · 28 January 2015, 06:56 AM

These exploits continue with excellent naming.

Announcement

Linux "GHOST" Vulnerability Hits Glibc Systems

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment