Security Vulnerability on Linux Operating Systems

In the Middle of February a serious security vulnerability has been known. To close it some measurements are necessary.

Technical Information

Check whether the current glibc is installed.

SL 6

> rpm -qi glibc
Name        : glibc Relocations: (not relocatable)
Version     : 2.12 Vendor: Scientific Linux
Release     : 1.166.el6_7.7 Build Date: Tue 16 Feb 2016 06:01:59 PM CET
Install Date: Wed 17 Feb 2016 06:35:45 AM CET Build Host: sl6.fnal.gov

This is the current version. A reboot after the installation is necessary to activate the current version. If the version is not updated, please run "yum update" and "yum upgrade" .

EL7

> rpm -qi glibc
Name        : glibc
Version     : 2.17
Release     : 106.el7_2.4
Architecture: x86_64
Install Date: Thu 18 Feb 2016 05:36:06 AM CET

This is the current version. A reboot after the installation is necessary to activate the current version. If the version is not updated, please run "yum update" and "yum upgrade" .

Ubuntu

> zgrep CVE-2015-7547 /usr/share/doc/libc6/changelog.Debian.gz
   - debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in
   - debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in
   - debian/patches/any/CVE-2015-7547.diff: fix buffer handling in
   - CVE-2015-7547

or similar Text shows that the vulnerability CVE-2015-7547  has been fixed. A reboot after the installation is necessary to activate the current version. If the version is not updated, please run "aptitude update" and "aptitude dist-upgrade".

Kernel upgrade

  • On SL6 systems, it is recommended to check that the Kernel has been updated. Kernels currently are still excluded from automatic updates (a policy change will be announced shortly)
  • On SL6 Systems, prior to a reboot,  "yum update" and "yum upgrade" should update all packages including Kernel.