Question about GHOST vulnerability

I compiled and ran the ./GHOST test described here: https://www.linode.com/docs/security/se … nerability">https://www.linode.com/docs/security/security-patches/patching-glibc-for-the-ghost-vulnerability and the output was:

not vulnerable

So if that is true we are ok with regards to this particular vulnerability for now.

doug

2.12.1-0ubuntu10.4 is a greater (more recent) number than 2.11.1-0ubuntu7.20, so it would seem to imply you should be safe.

To quote your link, "systems that use an unpatched version of glibc from versions 2.2 to 2.17 are at risk." You said you're running an unpatched 2.12.1. One plus one equals yes, you're vulnerable to GHOST.

Given how long Ubuntu 10.10 has been unsupported, you're likely vulnerable to many other things, like Shellshock and a dozen OpenSSL issues.

Yes, you can "just" upgrade glibc. Just download the eglibc source package, backport and apply the patch for the vulnerability, and build a new package. The time spent learning how to do that might be better used upgrading to a supported distro.

Edit: synapt: That's not how it works. Ubuntu backported the patch to 10.04's eglibc 2.11.1 package, because it's still supported. They haven't backported it to 10.10 since it's long unmaintained.

Yes, we definitely want to upgrade to Ubuntu 14.04 LTS. It's just a very time-consuming process and we have a lot of Linodes.

But what about the fact that our running of the GHOST test as described at https://www.linode.com/docs/security/se … nerability">https://www.linode.com/docs/security/security-patches/patching-glibc-for-the-ghost-vulnerability giving the output "not vulnerable"?

Is that a valid test?

Thanks,

doug

@mnordhoff:

Edit: synapt: That's not how it works. Ubuntu backported the patch to 10.04's eglibc 2.11.1 package, because it's still supported. They haven't backported it to 10.10 since it's long unmaintained.

Doh, completely mis-read 10.10, ignore me :(

I see. On some of our linodes we are running eglibc 2.11.1. On those servers the GHOST test is reporting "not vulnerable". On other servers we are running eglibc 2.12.1. On those servers GHOST is reporting "vulnerable".

So at the minimum we have to upgrade glibc.

doug

I don't know what's going on with the test. The report about GHOST says that the vulnerability was introduced in 2000 and fixed in 2013; on the other hand, vulnerability test programs are often buggy or have limitations. I don't know about this case, but I'm more inclined to believe that 2.11.1 is vulnerable and the test is malfunctioning than that the vulnerability announcement misstated when the bug was introduced by ten years.

Well, I've asked Support how valid their test is and I'll see what they say.

I would, of course, like to upgrade all our Ubuntu 10.10 servers to Ubuntu 14.04 LTS. And I hope to do that as soon as possible. But it seems like such a mammoth undertaking and I have no experience upgrading a distribution like that.

I know the general idea: create a new Linode with the Ubuntu 14.04 LTS distribution; use rsync (or possibly just scp) to copy over a few critical areas, such as our data and hopefully the users and their directories; shut down both servers and swap the IPs; then bring up the new linode and make sure that everything is running on the ok before shutting down the old linode.

But it seems pretty time consuming (unless there is a simpler process than I described) because we have a lot of linodes. That's why I was thinking maybe just a glibc upgrade in the meantime might be a good first step if this is a very dangerous vulnerability. Just to get it patched in the meantime before we do the distro upgrades. Does that make sense?

But our distro is Ubuntu 10.10 and is no longer supported, so I don't even know for sure what the best glibc is for that for this purpose.

Thanks,

doug

You should be applying any security patches to your servers as a matter of course, so just do "apt-get update" and "apt-get upgrade –dry-run" and if you see glibc in the output then you know you need to patch.

I don't think there are any more upgrades available via the apt-get command for Ubuntu 10.10. I mostly just see error messages when I try.

Thanks,

doug

If you switch your /etc/apt/sources.list to use http://old-releases.ubuntu.com/ apt will start working, but obviously there's nothing new being released. You will be able to install new out-of-date software, though.

Interesting. I will make a note of that just-in-case.

Actually, with apt-get dist-upgrade I got some upgrade messages like this:

WARNING: The following packages cannot be authenticated!

nagios-nrpe-server tzdata ntpdate initramfs-tools initramfs-tools-bin sysvinit-utils sysv-rc initscripts

openssh-server openssh-client python-apt gdb nagios-nrpe-plugin ntp

Install these packages without verification [y/N]? N

I wasn't sure about that "without verification" message so I entered N for now.

doug

Ubuntu 10.10 will be vulnerable to more than just GHOST, it's probably vulnerable to Heartbleed and Shellshock, don't run an unsupported distro, update now. You can upgrade to 12.04 which is supported until 2017 and should cause less problems than upgrading to 14.04. (If you do in place upgrades you have to upgrade to 12.04 before you can upgrade to 14.04 anyway)

Thanks for your reply.

Support has always been very friendly to me. But I'm always polite. :) Anyway, Linode support is easy to be polite with because they always try to be supportive.

They suggested not upgrading in place though because apparently, while it works most of the time, they have seen cases where the linode won't boot afterwards. What do you think?

Obviously if we can upgrade in place to any supported version that would be a huge huge huge time saver.

Thanks,

doug

You could clone the node to a new node then upgrade the clone in place, if it works great if it doesn't you still have the old node to run off while you build a new one from scratch.

@obs:

You could clone the node to a new node then upgrade the clone in place, if it works great if it doesn't you still have the old node to run off while you build a new one from scratch.

Yes, that's what I was thinking I would try.

The "uncertainty factor" here is that I have about 40 linodes. So I'm a bit worried that I do it with one as a test and it works, but then along the way "linode 27" doesn't work. I suppose if I take a snapshot backup before each upgrade and it doesn't work I can always restore from the snapshot.

Do you think the

do-release-upgrade

mentioned at

http://askubuntu.com/questions/226102/h … 0-to-12-04">http://askubuntu.com/questions/226102/how-can-i-upgrade-ubuntu-10-10-to-12-04

is the way to try this?

Thanks,

doug

You have 40 Linodes on 10.10? You've a lot of work ahead of you. You'll want to clone > upgrade each one (you can swap the IPs once you're happy with the upgraded clone). That's the safest way.

Or if you really want to do something sane then you should script your setup procedure using something like ansible/chef/puppet (or even bash scripts will do). That way you have a verified way of quickly setting up nodes. To get to 12.04 you have to go via 11.04, 11.10 then to 12.04 you can only jump from LTS release to another LTS release i.e. 10.04 > 12.04 > 14.04.

You should stick to 12.04 or 14.04 since they're supported for 5 years from the date of release.

Whatever you do it's going to be a chore! Good luck!

Yes, that's what I keep on thinking. It's going to be a chore. I inherited this situation.

What about the in-place upgrade from 10.10 to 12.04 mentioned at the askubuntu.com site listed above? No good?

Thanks,

doug

@douglerner:

What about the in-place upgrade from 10.10 to 12.04 mentioned at the askubuntu.com site listed above? No good

It's not supported or recomended, the official way is to upgrade through each release.

TBH if I was in your shoes I'd replace all the servers with fresh Ubuntu 14.04 servers, the OS is supported until 2019 and then you'd have a nice clean server and you know what's on it without having to worry about any weirdness from anything you inherited.