GHOST update on Symbiosis/Squeeze


#1

I have a VM running Symbiosis Squeeze (haven’t got around to updating it to Wheezy yet).

If I compile and run the GHOST vulnerability checker at http://www.openwall.com/lists/oss-security/2015/01/27/9 it says I’m vulnerable. And also it looks like libc hasn’t been updated for a few weeks:

$ ls -l /lib/libc.so.6
lrwxrwxrwx 1 root root 14 Dec 23 09:53 /lib/libc.so.6 -> libc-2.11.3.so
$ ls -l /lib/libc-2.11.3.so
-rwxr-xr-x 1 root root 1437096 Dec 22 21:08 /lib/libc-2.11.3.so

But:

$ sudo apt-get update
...
$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Is it just that Debian haven’t released an update yet? Does anyone have a simple workaround in the mean time?

I believe my system is configured correctly to receive updates. /etc/apt/sources.list has:

#
# Squeeze distribution of Debian GNU/Linux
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze main contrib non-free

#
# Squeeze updates
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze-updates main contrib non-free

#
#  Bytemark Symbiosis Packages
#
deb     http://symbiosis.bytemark.co.uk/squeeze/ ./

#
# Security updates
#
deb     http://security.debian.org/ squeeze/updates  main contrib non-free


#
# Debian 6.0 (Squeeze) LTS -- https://www.debian.org/News/2014/20140424
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze-lts main contrib non-free
deb-src http://mirror.bytemark.co.uk/debian/     squeeze-lts main contrib non-free

and /etc/apt/sources.list.security has:

#
# Squeeze distribution of Debian GNU/Linux
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze main contrib non-free

#
# Squeeze updates
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze-updates main contrib non-free

#
#  Bytemark Symbiosis Packages
#
deb     http://symbiosis.bytemark.co.uk/squeeze/ ./

#
# Security updates
#
deb     http://security.debian.org/ squeeze/updates  main contrib non-free

#
# Squeeze LTS
#
deb     http://mirror.bytemark.co.uk/debian/     squeeze-lts main contrib non-free

Regards,

Brian.


#2

The update came through now, phew :smile:

$ dpkg-query -l libc6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version             Description
+++-===================-===================-======================================================
ii  libc6               2.11.3-4+deb6u4     Embedded GNU C Library: Shared libraries
$ ls -l /lib/libc-2.11.3.so
-rwxr-xr-x 1 root root 1437096 Jan 28 00:09 /lib/libc-2.11.3.so 
$ ./GHOST
not vulnerable

Regards,

Brian.


#3

In terms of remotely accessible vulnerabilities, exim4 is the only service that ships with Symbiosis squeeze that will be affected, as far as I know.

However the configuration used by Symbiosis means that it is not remotely vulnerable (it doesn’t do the HELO checking).

Of course local root exploits are another thing.


#4

Just don’t forget that many programs will still have the old version of libc in memory, so you either need to restart things like Exim or reboot the server.

(Check the output of : lsof | grep DEL | grep libc )


#5
lsof | grep DEL

is a great tip, thank you!