Does DigitalOcean have any advice on the urgent Stack Clash vulnerability?

Question

Hi,

I just read about this major security vulnerability across multiple OSs, including Linux (presumably all flavors).

https://arstechnica.com/security/2017/06/12-year-old-security-hole-in-unix-based-oses-isnt-plugged-after-all/

How long before a patch is available via our DigitalOcean distributions?

Answer 1

asb June 19, 2017

Two CVEs were issued for this vulnerability:

CVE-2017-1000364 for the Linux kernel (Ubuntu, Debian )
CVE-2017-1000366 for glibc (Ubuntu, Debian)

Ubuntu and Debian have already rolled out security updates to the libc6 package. The fixed versions are:

Distro	Package Version
Ubuntu 17.04	2.24-9ubuntu2.2
Ubuntu 16.10	2.24-3ubuntu2.2
Ubuntu 16.04	2.23-0ubuntu9
Ubuntu 14.04	2.19-0ubuntu6.13
Debian 8 (jessie)	2.19-18+deb8u10
Debian 9 (stretch)	2.24-11+deb9u1

You can check which version of the package is installed and if the fixed version is available by running:

sudo apt-get update
apt-cache policy libc6

The output will look like:

libc6:
  Installed: 2.24-11
  Candidate: 2.24-11+deb9u1
  Version table:
     2.24-11+deb9u1 500
        500 http://security.debian.org stretch/updates/main amd64 Packages
 *** 2.24-11 500
        500 http://mirrors.digitalocean.com/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

This shows me that I have the vulnerable version (2.24-11) installed, but can install the fixed version (2.24-11+deb9u1) by running an upgrade.

Reply Report

BarnabyJacobs June 19, 2017

Hi,

Excellent, thanks for this and the quick response. I’m assuming that Ubuntu 12.04 is no longer supported?

Best,

Barnaby
Reply Report
- asb June 19, 2017
  
  Unfortunately as Ubuntu 12.04 has reached “end of life,” they will most likely not be releasing a security update targeting it.
  
  Reply Report

Answer 2

BarnabyJacobs June 19, 2017

Hi,

Excellent, thanks for this and the quick response. I’m assuming that Ubuntu 12.04 is no longer supported?

Best,

Barnaby
Reply Report
- asb June 19, 2017
  
  Unfortunately as Ubuntu 12.04 has reached “end of life,” they will most likely not be releasing a security update targeting it.
  
  Reply Report

Answer 3

Somazx June 20, 2017

Thanks for posting these instructions.

For Ubuntu 14.04 you’ll see this:

libc6:
  Installed: 2.19-0ubuntu6.13
  Candidate: 2.19-0ubuntu6.13
 *** 2.19-0ubuntu6.13 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.19-0ubuntu6 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty/main amd64 Packages

Reply Report

Related

Question

Does DigitalOcean have any advice on the urgent Stack Clash vulnerability?

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Does DigitalOcean have any advice on the urgent Stack Clash vulnerability?

Leave a comment

Related

question

Is it possible to use full disk encryption on an Ubuntu 14 droplet?

question

going around in circles trying to setup Ubuntu

question

unable to access my droplet via putty or any other way using SSH keys

question

Are there access to my files from the internet?

Looking for something else?