Wednesday, February 17, 2016

Security Notification: glibc getaddrinfo() stack-based buffer overflow (CVE-2015-7547)


It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. You can find more information about the issue in this post:

All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers.

Please take a moment to check if your image is vulnerable by following the instructions in our wiki:
https://wiki.bitnami.com/security/2016-02-17_glibc_getaddrinfo()_stack-based_buffer_overflow_(CVE-2015-7547)

You can update your version of kernel by running one of the following commands that is specific to your distribution:

  • Ubuntu
sudo apt-get update && sudo apt-get install unattended-upgrades && sudo unattended-upgrade  
You will have the fixed version of the glibc library: 2.19-0ubuntu6.7

  • Debian 
sudo apt-get update && sudo apt-get install unattended-upgrades && sudo unattended-upgrade 
You will have the fixed version of the glibc library: 2.13-38+deb7u10

  • Oracle Linux 
sudo yum update glibc 
You will have the fixed version of the glibc library: 2.12-1.166.el6_7.7

  • Amazon Linux 
sudo yum update glibc 
You will have the fixed version of the glibc library: glibc-2.17-106.166.amzn1.x86_64

  • RedHat Linux
sudo yum update glibc 
You will have the fixed version of the glibc library: 2.12-1.166.el6_7.7

If you have any questions about this process, please post to our community support forum and we will be happy to help!