大家注意了,Qualys发现的一个名为GHOST(CVE-2015-0235)的Linux漏洞最近被公开了。这个特定的漏洞是一个讨厌的漏洞,因为它允许远程代码执行。
该漏洞已在本报告中得到详尽的记录。 安全咨询,你可能会觉得有趣。简而言之,该漏洞存在于glibc中的 __ns_hostname_digits_dots(),它涉及到主机名的解析,通过 gethostbyname() 呼叫。
我容易受到伤害吗?
是的,很有可能。为了解决这个问题,你要确保你已经更新并重新启动了你的系统。
Debian 和Ubuntu ,为其支持的发行版更新了软件包。运行 apt-get update && apt-get dist-upgrade 来更新你的系统,然后重新启动以确保没有对旧库的引用仍然存在。
对于其他流行的发行版,请按照它们的同等步骤来升级软件包。 欲了解更多信息,你可以遵循我们的GHOST指南。
Linode基础设施是否存在漏洞?
我们的安全团队已经努力保护我们的基础设施免受这一漏洞的影响,我们已经采取了适当的措施来解决我们所有系统的这一问题。
评论 (9)
My server is running Ubuntu 12.04.1 do I need to upgrade in order for this to be fixed or will it be in the repo’s?
You shouldn’t need to upgrade to a new version of Ubuntu, simply updating through your package manager, then rebooting, will suffice for addressing this issue.
I run musl-libc so wasn’t vulnerable. You glibc plebs… poor sods.
My linode is running on CentOS 6.4. I have updated the glibc package with yum manager but still the version showing is 2.12 after update. I run some script to check the whether the server is affected by ghost. the system showing is vulnerable.. how to fix ..let me know..
A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you are not able to do reboot — use this cmd which relaunchs only several applications that actually use vulnerable glibc:
for s in $(lsof | grep libc | awk ‘{print $1}’ | sort | uniq); do if [[ -f “/etc/init.d/$s” && “$(ps aufx | grep -v grep | grep $s)” ]]; then echo $s; service $s restart; fi; done
From: http://blog.wallarm.com/post/109402223343/ghost-a-brief-recap-of-what-you-need-to-know
@Jonathan Leal – You don’t need to restart your server, typing execute ‘lsof | grep libc | awk ‘{print $1}’ | sort | uniq’ and it’s enough.
Thanks for the quick response and posting about this, Linode. 🙂
Here is a Spanish FAQ about GHOST vulnerability:
http://www.sysadmit.com/2015/01/linux-vulnerabilidad-ghost.html
The above lsof commands have a problem!!! They only return the first 9 characters of the command name.
$ lsof | grep libc | grep redis
redis-ser 3303….
vs:
lsof +c 0 | grep libc | grep redis
redis-server 3303
You may well miss services that need to be restarted without “+c 0”