Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Check out phoronix.com glibc has had a big security flaw since 2.34, big enough for critical Debian Servers to go "shields up" until patched.
X also has a few vulnerabilities in it that have gone undiscovered since I was grad school ( I saw Jerry Garcia live my freshman year and he had years of touring left in him).
Here's some actual information:
* Qualys announced a Local Privilege Escalation in the glibc's ld.so that grants full root privileges.
* Most distros use glibc and will be affected - Debian, Fedora and Ubuntu, were all cited, but only a few (like Alpine) do not use glibc and so will avoid the issue.
* Security code is CVE-2023-4911
It is not specific to glibc 2.34 - there are patches for 2.31 in Debian 11 Bullseye and 2.36 in Debian 12 Bookworm both released today.
(At time of writing Debian's security tracker shows Testing and Unstable remain vulnerable; a reminder that these are not secure releases but development tools.)
If in doubt, simply make sure your OS has security updates enabled and update.
I'm guessing Linux caps would be a good way not to have to deal with this? I try to use caps in place of setuid whenever I can.
Code:
Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program.
This is already patched in my distro. I feel bad for the IT pros that have to patch all those machines and restart all those servers!
Here's some actual information:
* Qualys announced a Local Privilege Escalation in the glibc's ld.so that grants full root privileges.
* Most distros use glibc and will be affected - Debian, Fedora and Ubuntu, were all cited, but only a few (like Alpine) do not use glibc and so will avoid the issue.
* Security code is CVE-2023-4911
It is not specific to glibc 2.34 - there are patches for 2.31 in Debian 11 Bullseye and 2.36 in Debian 12 Bookworm both released today.
(At time of writing Debian's security tracker shows Testing and Unstable remain vulnerable; a reminder that these are not secure releases but development tools.)
If in doubt, simply make sure your OS has security updates enabled and update.
Debian unstable has :
(Debian GLIBC 2.37-12) 2.37
already updated and fixed.
It is not specific to glibc 2.34 - there are patches for 2.31 in Debian 11 Bullseye and 2.36 in Debian 12 Bookworm both released today
Quote:
Originally Posted by https://www.openwall.com/lists/oss-security/2023/10/03/2
This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").
How can I reconcile these apparently contradictory statements, in particular with reference to pre-2.34 glibc such as 2.31?
Do you conclude that because Debian patched 2.31, 2.31 has the exploit?
My concern arises because I run the stable edition of Slackware-64, version 15.0.
It has a pre-2.34 (2.33) glibc.
I conclude that Debian's 2.31-13+deb11u6 has the exploit because Debian released an advisory stating it is vulnerable to the exploit, along with version 2.31-13+deb11u7 to resolve that vulnerability.
If the flaw was introduced in April 2021, then presumably it was carried over with one of the eight updates that Debian's 2.31 received between April 2021 and now.
Whether Slackware's version has the exploit is a question for Slackware's Security Team.
Given that glibc is a core package, the lack of any Slackware security advisory probably means that it does not, but being neither a Slackware user nor on their Security Team, I cannot confirm that.
Debian released an advisory stating it is vulnerable to the exploit, along with version 2.31-13+deb11u7 to resolve that vulnerability
If the flaw was introduced in April 2021, then presumably it was carried over with one of the eight updates that Debian's 2.31 received between April 2021 and now.
I think you're saying the flaw introduced into glibc 2.34 was probably back-ported by Debian into their copy of 2.31. That clears it up for me, thank you.
Does Debian provide a documented list of all updates that have been made available to Debian 12? As an example you want to check if all updates have been applied to your system is there a document showing all updates made available ?
Does Debian provide a documented list of all updates that have been made available to Debian 12? As an example you want to check if all updates have been applied to your system is there a document showing all updates made available ?
You can see the history of everything installed, upgraded and removed in the logs in /var/log/apt. You can see the changelog for each package with apt-get changelog <package>. You can also use apt-cache policy <package> to see the currently installed version and the update candidate.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.