I have yum set to download and install all updates automatically, my
question was if I look at yum.log and see glibc updated 2 days ago but not a
package like BIND, am I still vulnerable. Sounds like I am OK.
-----Original Message-----
From: Paul Stewart
Sent: Friday, February 19, 2016 4:59 AM
To: af@afmug.com
Subject: Re: [AFMUG] update and patch your linux servers, people!
Glibc is widely used .. (including in the kernel code as well) ... perhaps
the question is, why wouldn't you update everything?
-----Original Message-----
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ken Hohhof
Sent: Thursday, February 18, 2016 9:00 PM
To: af@afmug.com
Subject: Re: [AFMUG] update and patch your linux servers, people!
OK, at the risk of exposing my ignorance, is it sufficient to update glibc
(I see that yum-cron has already done this for me), and perhaps to restart
some services like named? Or is glibc compiled into packages like BIND and
those need to be updated?
I'm thinking the glibc libraries are not compiled into the applications but
are called at run time, but I really don't know.
-----Original Message-----
From: Josh Reynolds
Sent: Thursday, February 18, 2016 4:53 PM
To: af@afmug.com
Subject: Re: [AFMUG] update and patch your linux servers, people!
#oldnews
Another thing you want to do is limit inbound dns responses to 1024
and less on most platforms, including mikrotik. They may use uClibc
though, I am not sure.
Most UBNT devices are not vulnerable to this, although EdgeRouter and
CloudKey were (and probably that old ubnt nvr appliance). Thankfully
they both receive patches from debian upstream, so it's just an
apt-get update ; apt-get upgrade -y away.
On Thu, Feb 18, 2016 at 4:48 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote:
http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
http://www.kb.cert.org/vuls/id/457759
If it has glibc on it and looks up things by DNS, it needs to be patched.
That's just about every Linux distro in existence.
