Affects all Linux systems,... Except when it doesn't...

Story: GHOST glibc Remote Code Execution Vulnerability Affects All Linux SystemsTotal Replies: 5
Author Content
JaseP

Jan 27, 2015
7:01 PM EDT
The announcement says that it affects all Linux systems,... Which is true,... except when it doesn't...

The bottom line is that the bug was inadvertently patched 2 years ago, but that because it wasn't listed as a security patch, it didn't get back-ported. Ars Technica also had an article about it, in which the threat was more overblown than in this article... Patches have been already released for most major distros. The kernel does not need to be restarted (but some services might have to be). The Ars Technica article made more noise about restarting services than was necessary, claiming that servers would need to be restarted and as a result, probably wouldn't be and leave them vulnerable...

So, it's "Yet Another Sky-Is-Falling Bug,"... YASB, for short...
seatex

Jan 27, 2015
7:41 PM EDT
JaseP - you know they have to over-hype anything like this whenever the opportunity arises. It's their journalistic duty to produce only the best click-bait they possibly can.
BernardSwiss

Jan 27, 2015
10:16 PM EDT
Actually, I thought it was a fairly reasonable article. (and updates with more info are being added).

Perhaps the [Ars Technica] article is a little strongly worded -- but then, apparently out of concern about the temptations for system admins to "put off" necessary measures (talking about servers, here) because of the possible/likely need to reboot the whole system.

I think this is the real issue; the human factor is always a consideration. Some people will simply not want to accept the down-time -- and won't catch and re-start all the old processes either.

.

edit: for clarity: it appears I was conflating the Ars Technica article with this one (which I wouldn't even describe as "strongly worded").
JaseP

Jan 27, 2015
10:37 PM EDT
The problem is not the bug, the patch, or getting the word out,... The problem is people acting like, "OMG!!! Another deadly serious Linux vulnerability!!!" when none of that is really true; 1) it's not really a Linux (as in kernel) bug, it's a libc bug... 2) it's not deadly serious,... just pretty serious (as in do something about it,... but not cause a panic),... and 3) it's not really a vulnerability, in the sense that there is the potential to exploit it, on SOME services running on a server, but not all (or necessarily the most popular), and only a proof-of-concept exploit. (Caveat: I know some will take issue with my wording, especially #3,... vulnerability vs. exploit,... but the sentiment is the same no matter how you word it).

In short,... Keep on reporting security flaws,... keep on patching them,... take them seriously,... but absolutely stop the doomsday predictions... a/k/a "Worse than the XXXXXX bug!!!..." They are getting old...
mrider

Jan 28, 2015
12:31 PM EDT
Looks like we'll get more mileage* from the story than the vulnerability. I just ran apt-get update and apt-get upgrade last night, and unsurprisingly Debian has already back-ported the fix.

* Funny how I've never heard the word "kilometerage". :)
CFWhitman

Jan 28, 2015
5:25 PM EDT
So far I've only seen one service that tested out as vulnerable to this exploit, Exim. On the other hand I've seen a list of around thirty that tested out not to be vulnerable for one reason or another.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!