Terrible security hole Tuesday today
Check out phoronix.com glibc has had a big security flaw since 2.34, big enough for critical Debian Servers to go "shields up" until patched.
X also has a few vulnerabilities in it that have gone undiscovered since I was grad school ( I saw Jerry Garcia live my freshman year and he had years of touring left in him). |
Here's some actual information:
* Qualys announced a Local Privilege Escalation in the glibc's ld.so that grants full root privileges. * Most distros use glibc and will be affected - Debian, Fedora and Ubuntu, were all cited, but only a few (like Alpine) do not use glibc and so will avoid the issue. * Security code is CVE-2023-4911 It is not specific to glibc 2.34 - there are patches for 2.31 in Debian 11 Bullseye and 2.36 in Debian 12 Bookworm both released today. (At time of writing Debian's security tracker shows Testing and Unstable remain vulnerable; a reminder that these are not secure releases but development tools.) If in doubt, simply make sure your OS has security updates enabled and update. |
I'm not actually qualified to give actual information so heads up is all I can give.
|
I'm guessing Linux caps would be a good way not to have to deal with this? I try to use caps in place of setuid whenever I can.
Code:
Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program. |
The good news are that the X vulnerabilities apparently haven't hit anyone during the past 38 years...
|
Quote:
(Debian GLIBC 2.37-12) 2.37 already updated and fixed. |
Quote:
Quote:
Do you conclude that because Debian patched 2.31, 2.31 has the exploit? My concern arises because I run the stable edition of Slackware-64, version 15.0. It has a pre-2.34 (2.33) glibc. |
I conclude that Debian's 2.31-13+deb11u6 has the exploit because Debian released an advisory stating it is vulnerable to the exploit, along with version 2.31-13+deb11u7 to resolve that vulnerability.
If the flaw was introduced in April 2021, then presumably it was carried over with one of the eight updates that Debian's 2.31 received between April 2021 and now. Whether Slackware's version has the exploit is a question for Slackware's Security Team. Given that glibc is a core package, the lack of any Slackware security advisory probably means that it does not, but being neither a Slackware user nor on their Security Team, I cannot confirm that. |
Quote:
|
Does Debian provide a documented list of all updates that have been made available to Debian 12? As an example you want to check if all updates have been applied to your system is there a document showing all updates made available ?
|
Quote:
|
based on the documentation here is the way to check it:
Code:
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help |
All times are GMT -5. The time now is 12:37 PM. |