How to tell if Debian install is vulnerable to the GHOST exploit

Posted in Linux/Unix/BSD -

The CVE-2015-0235 "GHOST" exploit exposes a buffer overflow in glibc gethostbyname. This post shows how you can tell if your Debian Squeeze or Lenny install is affected and how to patch it.

The CVE-2015-0235 exploit

Track the exploit and updates to Debian here at the Debian security tracker.

Squeeze / Debian 6 & Wheezy / Debian 7 are affected until updates are applied. There are security updates in place already, so you just need to update/upgrade your distro.

When eglibc is at version 2.11.3-4+deb6u4 or higher on Squeeze or 2.11.13-38+deb7u7 or higher on Wheezy, then you are OK and the exploit is patched. Note that you are looking for the "deb6u4" and "deb7u7" part. So the next version for Squeeze would be deb6u5, deb6u6 and so on.

How can I tell if my server is affected?

Run this from the command line:

ldd --version

Look at the first line for the eglibc version; the following example is from an unpatched Debian Squeeze server:

ldd (Debian EGLIBC 2.11.3-4+deb6u1) 2.11.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
Written by Roland McGrath and Ulrich Drepper.

Note that the version is 2.11.3-4+deb6u1, so it's affected.

How to update

Of course you'll regularly update your Debian servers so know how to do this already ;)

apt-get update
apt-get upgrade

You'll need to reboot your server after doing the updates, because of the reliance various services and applications have on glibc / eglibc.

What about Debian Lenny?

There do not appear to be any plans to patch Lenny, so you're out of luck for an easy update. There's some instructions here at serverfault about how to do a source patch to do it yourself.

Related posts: