I'm surprised there's not been a post about this already.
For Centos 6 and 7 (not needed for 5 and 4) updated glibc and nscd rpms are already hitting the mirrors.
Now, as I understand it, a system reboot is recommended after installation as you can never be quite sure what might or might not be using the old libraries until the service is restarted.
If you can't reboot and don't want to examine the output of lsof or whatever, one of our suppliers has suggested adding the following to your firewall:
iptables -I INPUT -p udp --sport 53 -m length --length 512: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 1024: -j DROP
(if approrpriate) iptables -I FORWARD -p udp --sport 53 -m length --length 512: -j DROP
(if approrpriate) iptables -I FORWARD -p tcp --sport 53 -m length --length 1024: -j DROP
(similarly for ipv6 as appropriate)
They claim it will have 0 impact other than to mitigate against the vulnerability. I can't say whether this is the case or not though.
If you want to add these rules via the ASL GUI, would I be correct in saying that you'd need to add the "-m length --length 512" in the "Additional options" box? (as well as setting the source port, protocol and jump target obviously, and selecting Insert rather than append etc etc)
glibc CVE-2015-7547
glibc CVE-2015-7547
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: glibc CVE-2015-7547
No need to do this on ASL systems, if you are using the ASL kernel you are immune to this:
https://www.atomicorp.com/forums/viewto ... =13&t=8319
https://www.atomicorp.com/forums/viewto ... =13&t=8319
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: glibc CVE-2015-7547
Yes, but those of us using ASL but not running the ASL kernel do need to worry
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>