Critical security vulnerability in Linux (CVE-2015-7547, getaddrinfo)


A critical security issue in Linux in a core system library has come to light. Although exploits are considered improbable, there’s a risk that malicious people will be able to cause system processes to crash by making certain mail/web/etc. requests that trigger certain sorts of DNS queries.

(For advanced folks, there’s fun exploit proof-of-concept code.)

Ubuntu has posted an update. Since Mail-in-a-Box automatically installs security updates I believe that the update will be installed automatically tonight, but you will need to manually reboot the machine in any case.

To update your system manually, and to be sure the update was installed, log in with SSH and run:

sudo apt-get update && sudo apt-get upgrade

Then reboot by running:

sudo reboot

To check if you have the new version of the system library (libc6) run (after logging back in with SSH):

dpkg -l libc6 | grep libc6

You should see in the third column the version 2.19-0ubuntu6.7. Any previous version such as 2.19-0ubuntu6.6 does not have the update.


^ Post has been updated. Ubuntu has posted an update.


This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.