Does DigitalOcean have any advice on the urgent Stack Clash vulnerability?

June 19, 2017 643 views
Security Ubuntu

Hi,

I just read about this major security vulnerability across multiple OSs, including Linux (presumably all flavors).

https://arstechnica.com/security/2017/06/12-year-old-security-hole-in-unix-based-oses-isnt-plugged-after-all/

How long before a patch is available via our DigitalOcean distributions?

2 Answers

Two CVEs were issued for this vulnerability:

Ubuntu and Debian have already rolled out security updates to the libc6 package. The fixed versions are:

Distro Package Version
Ubuntu 17.04 2.24-9ubuntu2.2
Ubuntu 16.10 2.24-3ubuntu2.2
Ubuntu 16.04 2.23-0ubuntu9
Ubuntu 14.04 2.19-0ubuntu6.13
Debian 8 (jessie) 2.19-18+deb8u10
Debian 9 (stretch) 2.24-11+deb9u1

You can check which version of the package is installed and if the fixed version is available by running:

  • sudo apt-get update
  • apt-cache policy libc6

The output will look like:

libc6:
  Installed: 2.24-11
  Candidate: 2.24-11+deb9u1
  Version table:
     2.24-11+deb9u1 500
        500 http://security.debian.org stretch/updates/main amd64 Packages
 *** 2.24-11 500
        500 http://mirrors.digitalocean.com/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

This shows me that I have the vulnerable version (2.24-11) installed, but can install the fixed version (2.24-11+deb9u1) by running an upgrade.

  • Hi,

    Excellent, thanks for this and the quick response. I'm assuming that Ubuntu 12.04 is no longer supported?

    Best,

    Barnaby

    • Unfortunately as Ubuntu 12.04 has reached "end of life," they will most likely not be releasing a security update targeting it.

Thanks for posting these instructions.

For Ubuntu 14.04 you'll see this:

libc6:
  Installed: 2.19-0ubuntu6.13
  Candidate: 2.19-0ubuntu6.13
 *** 2.19-0ubuntu6.13 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.19-0ubuntu6 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty/main amd64 Packages
Have another answer? Share your knowledge.