Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 21 Jul 2018, 10:05
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Many Millions of Linux are affected by this security hole #2
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [30 Posts]   Goto page: 1, 2 Next
Author Message
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Tue 16 Feb 2016, 23:39    Post subject:  Many Millions of Linux are affected by this security hole #2
Subject description: Glibc populates related apps
 

Reported yesterday.
_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile

Last edited by gcmartin on Mon 22 Feb 2016, 11:43; edited 1 time in total
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1538
Location: The other Mr. 305

PostPosted: Tue 16 Feb 2016, 23:47    Post subject:  

Do we have a puppy patch?
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 465
Location: Western United States

PostPosted: Wed 17 Feb 2016, 02:46    Post subject:
Subject description: Ubuntu DEBs
 

DEBs for Precise, Tahr, and Wily can be found here:

http://www.ubuntu.com/usn/usn-2900-1/

Click the link corresponding to your flavor of Ubuntu (Precise, Tahr, or Wily)
On the resulting web page, look over on the right-hand side where it says "Builds".

Click the link corresponding to your hardware (e.g. i386) to get to the list of DEBs.
You will want two DEBs, the libc6 and libc-bin.
For example for Precise you want

libc6_2.15-0ubuntu10.13_i386.deb
libc-bin_2.15-0ubuntu10.13_i386.deb

Download the DEBs and left click each to install.
Back to top
View user's profile Send private message 
greengeek


Joined: 20 Jul 2010
Posts: 5093
Location: Republic of Novo Zelande

PostPosted: Wed 17 Feb 2016, 03:45    Post subject:  

Any tips on how to identify which version of glibc a puppy has? cheers

EDIT : See this post
Enter the following in a terminal:
/lib/libc.so.6

or:
Enter the following in a terminal:
ldd --version

Last edited by greengeek on Wed 17 Feb 2016, 12:22; edited 1 time in total
Back to top
View user's profile Send private message 
Moat


Joined: 16 Jul 2013
Posts: 856
Location: Mid-mitten, USA

PostPosted: Wed 17 Feb 2016, 05:08    Post subject:
Subject description: Ubuntu DEBs
 

6502coder wrote:
DEBs for Precise, Tahr, and Wily can be found here:


Thanks @ 6502coder!

Bob
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Wed 17 Feb 2016, 05:44    Post subject:  

Debian users see here:
https://www.debian.org/security/2016/dsa-3481
and for more details here:
https://security-tracker.debian.org/tracker/CVE-2015-7547

@ greengeek
Code:
root@debian:~# ldd --version
ldd (Debian GLIBC 2.21-8) 2.21
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
root@debian:~#
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2393

PostPosted: Wed 17 Feb 2016, 06:37    Post subject:  

anikin wrote:
Debian users see here:
https://www.debian.org/security/2016/dsa-3481
and for more details here:
https://security-tracker.debian.org/tracker/CVE-2015-7547

@ greengeek
Code:
root@debian:~# ldd --version
ldd (Debian GLIBC 2.21-8) 2.21
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
root@debian:~#

I run DD Jessie openbox with Optional Persistence (frugal boot and only preserve changes if I opt to save) and I hit a problem with applying the Debian update as per here (which also outlines how to work around that). Only applies if you use the changes=EXIT:/live/ boot parameter choice (i.e. Optional Persistence).
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 6730
Location: Earth

PostPosted: Wed 17 Feb 2016, 18:56    Post subject:  

@JamesBond announces a fix to FD702, today.
_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engines or use DogPile
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2393

PostPosted: Wed 17 Feb 2016, 19:42    Post subject:  

Not sure, but I did see additional suggestions that it might not be just glibc that needs fixing/patching, but also other things such as python.

Debian have released updates for Libre and Python today (after releasing a glibc update) http://murga-linux.com/puppy/viewtopic.php?p=890032#890032
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1538
Location: The other Mr. 305

PostPosted: Wed 17 Feb 2016, 22:48    Post subject:  

Any way to determine that the patch worked? For example, recall the heartbleed sight that tested.
Back to top
View user's profile Send private message 
anikin

Joined: 10 May 2012
Posts: 1020

PostPosted: Thu 18 Feb 2016, 06:49    Post subject:  

“A big deal”
Quote:
"It's a big deal," Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. "This is a core bedrock function across Linux. Things that do domain name lookups have a real vulnerability if the attacker can answer."

The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.
===> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ ... there's more, much more to it, folks. Prepare to be surprised.
Back to top
View user's profile Send private message 
Burn_IT


Joined: 12 Aug 2006
Posts: 3144
Location: Tamworth UK

PostPosted: Thu 18 Feb 2016, 08:56    Post subject:  

I other words there is nothing you can do to prevent it without going right back to the source of all Linux.
_________________
"Just think of it as leaving early to avoid the rush" - T Pratchett
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 12918
Location: Arizona USA

PostPosted: Thu 18 Feb 2016, 09:44    Post subject:  

What is the practical danger, that you could go to a URL without realizing it?
Back to top
View user's profile Send private message 
Dingo


Joined: 11 Dec 2007
Posts: 1435
Location: somewhere at the end of rainbow...

PostPosted: Thu 18 Feb 2016, 10:54    Post subject:  

I remember I read that only GNU C Libraries since 2.9 are affected

so, puppy 3.01 with its

GNU C Library stable release version 2.5

is secure?

_________________
replace .co.cc with .info to get access to stuff I posted in forum
dropbox 2GB free
OpenOffice for Puppy Linux
Back to top
View user's profile Send private message Visit poster's website 
8Geee


Joined: 12 May 2008
Posts: 1602
Location: N.E. USA

PostPosted: Thu 18 Feb 2016, 13:38    Post subject:  

I think so Flash, that does appear to be near the bottom line. Browser-Tools like Redirect Cleaner should help. But when one is running a server with a high amount of automation/networking, the browser isn't the only entrance. And further, human eyes are not involved.

If I may, my purposes and wants/needs really don't rely upon shares or servers. I toss them out of my personal-use puppy. I do leave the config files intact. If it ain't there it can't be exploited. So things like transmission, sylpheed, samba, etc are not there and don't need updates. YRMV

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [30 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0835s ][ Queries: 11 (0.0101s) ][ GZIP on ]