Does DigitalOcean have any advice on the urgent Stack Clash vulnerability?

Posted on June 19, 2017

Security

Ubuntu

By Barnaby Jacobs

Hi,

I just read about this major security vulnerability across multiple OSs, including Linux (presumably all flavors).

https://arstechnica.com/security/2017/06/12-year-old-security-hole-in-unix-based-oses-isnt-plugged-after-all/

How long before a patch is available via our DigitalOcean distributions?

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Andrew SB

June 19, 2017

Two CVEs were issued for this vulnerability:

CVE-2017-1000364 for the Linux kernel (Ubuntu, Debian )
CVE-2017-1000366 for glibc (Ubuntu, Debian)

Ubuntu and Debian have already rolled out security updates to the libc6 package. The fixed versions are:

Distro	Package Version
Ubuntu 17.04	2.24-9ubuntu2.2
Ubuntu 16.10	2.24-3ubuntu2.2
Ubuntu 16.04	2.23-0ubuntu9
Ubuntu 14.04	2.19-0ubuntu6.13
Debian 8 (jessie)	2.19-18+deb8u10
Debian 9 (stretch)	2.24-11+deb9u1

You can check which version of the package is installed and if the fixed version is available by running:

sudo apt-get update
apt-cache policy libc6

The output will look like:

libc6:
  Installed: 2.24-11
  Candidate: 2.24-11+deb9u1
  Version table:
     2.24-11+deb9u1 500
        500 http://security.debian.org stretch/updates/main amd64 Packages
 *** 2.24-11 500
        500 http://mirrors.digitalocean.com/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

This shows me that I have the vulnerable version (2.24-11) installed, but can install the fixed version (2.24-11+deb9u1) by running an upgrade.

Somazx

June 20, 2017

Thanks for posting these instructions.

For Ubuntu 14.04 you’ll see this:

libc6:
  Installed: 2.19-0ubuntu6.13
  Candidate: 2.19-0ubuntu6.13
 *** 2.19-0ubuntu6.13 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.19-0ubuntu6 0
        500 http://mirrors.digitalocean.com/ubuntu/ trusty/main amd64 Packages

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

View all products

Get started for free

Get started

*This promotional offer applies to new accounts only.