AnsweredAssumed Answered

Internet panic of the week:  CVE-2015-7547 glibc getaddrinfo stack-based buffer overflow

Question asked by jerryl on Feb 17, 2016
Latest reply on Feb 17, 2016 by ben.fariello

A bug has been reported in some of the basic network support code distributed with Linux.  The bug - which can allow significant attacks - has been in the code of all versions of Linux since 2008.  The various Linux distributions are working on making patches available.

 

  1. If you are running OpenSuSE 12.3, it's likely that no patch will ever be shipped.  The openSUSE project ended all support for 12.3 last summer.  You must migrate your instance to a new OVA based on openSUSE 13.2.  Note that the next release of VMTurbo will require this migration in any case.  You can check the version of your instance by typing the command "cat /etc/os-release".
  2. A patch is in the process of being developed for openSUSE 13.2, but at the time this was written, it appears not to be available yet.  You can use the zypper command to check for and apply available updates.  If you type zypper lu at the command line of your VMTurbo instance, you'll find a list of all patches that are available.  Look for a line like the following: 

v | openSUSE_13.2_Updates | glibc                             | 2.19-16.9.1                  | 2.19-16.18.1                   | x86_64

 

       When a patch for this bug becomes available the second number will be greater than 2.19-16.18.1.

Outcomes