Two CVEs were issued for this vulnerability:
Ubuntu and Debian have already rolled out security updates to the libc6
package. The fixed versions are:
Distro |
Package Version |
Ubuntu 17.04 |
2.24-9ubuntu2.2 |
Ubuntu 16.10 |
2.24-3ubuntu2.2 |
Ubuntu 16.04 |
2.23-0ubuntu9 |
Ubuntu 14.04 |
2.19-0ubuntu6.13 |
Debian 8 (jessie) |
2.19-18+deb8u10 |
Debian 9 (stretch) |
2.24-11+deb9u1 |
You can check which version of the package is installed and if the fixed version is available by running:
- sudo apt-get update
- apt-cache policy libc6
The output will look like:
libc6:
Installed: 2.24-11
Candidate: 2.24-11+deb9u1
Version table:
2.24-11+deb9u1 500
500 http://security.debian.org stretch/updates/main amd64 Packages
*** 2.24-11 500
500 http://mirrors.digitalocean.com/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
This shows me that I have the vulnerable version (2.24-11) installed, but can install the fixed version (2.24-11+deb9u1) by running an upgrade.