Hi,
I just read about this major security vulnerability across multiple OSs, including Linux (presumably all flavors).
How long before a patch is available via our DigitalOcean distributions?
Two CVEs were issued for this vulnerability:
Ubuntu and Debian have already rolled out security updates to the libc6 package. The fixed versions are:
| Distro | Package Version |
|---|---|
| Ubuntu 17.04 | 2.24-9ubuntu2.2 |
| Ubuntu 16.10 | 2.24-3ubuntu2.2 |
| Ubuntu 16.04 | 2.23-0ubuntu9 |
| Ubuntu 14.04 | 2.19-0ubuntu6.13 |
| Debian 8 (jessie) | 2.19-18+deb8u10 |
| Debian 9 (stretch) | 2.24-11+deb9u1 |
You can check which version of the package is installed and if the fixed version is available by running:
- sudo apt-get update
- apt-cache policy libc6
The output will look like:
libc6:
Installed: 2.24-11
Candidate: 2.24-11+deb9u1
Version table:
2.24-11+deb9u1 500
500 http://security.debian.org stretch/updates/main amd64 Packages
*** 2.24-11 500
500 http://mirrors.digitalocean.com/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
This shows me that I have the vulnerable version (2.24-11) installed, but can install the fixed version (2.24-11+deb9u1) by running an upgrade.
Hi,
Excellent, thanks for this and the quick response. I'm assuming that Ubuntu 12.04 is no longer supported?
Best,
Barnaby
Unfortunately as Ubuntu 12.04 has reached "end of life," they will most likely not be releasing a security update targeting it.
Thanks for posting these instructions.
For Ubuntu 14.04 you'll see this:
libc6:
Installed: 2.19-0ubuntu6.13
Candidate: 2.19-0ubuntu6.13
*** 2.19-0ubuntu6.13 0
500 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
100 /var/lib/dpkg/status
2.19-0ubuntu6 0
500 http://mirrors.digitalocean.com/ubuntu/ trusty/main amd64 Packages