1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS lookup vulnerability (CVE-2015-0235) in glibc (XF is a vector when on Linux)

Discussion in 'Server Configuration and Hosting' started by Xon, Jan 28, 2015.

  1. Xon

    Xon Well-Known Member

  2. Solidus

    Solidus Well-Known Member

    Got the glibc update earlier.
  3. Xon

    Xon Well-Known Member

    Depending on your distro, the update only dropped a ~3-5 hours ago.
  4. Solidus

    Solidus Well-Known Member

    glibc-2.12-1.149.el6_6.5 was what I updated to. Assuming it's safe according to this.
  5. Mike

    Mike XenForo Developer Staff Member

    I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

    Fixing this fully likely requires a server reboot as well.
    Last edited: Jan 28, 2015
  6. teletubbi

    teletubbi Well-Known Member

    Can be done at running system. (Debian 7)
  7. MattW

    MattW Well-Known Member

    Same with CentOS, you just need to restart the services using on glibc
  8. EQnoble

    EQnoble Well-Known Member

    Isn't that only on CentOS 7 though?
  9. MattW

    MattW Well-Known Member

    No, all of them.
    EQnoble likes this.
  10. Xon

    Xon Well-Known Member

    The real issue is all the other services which use the legacy gethostbyname call.

    I haven't seen anything which says dns_get_record vulnerability, but you'ld need to check the php source to see if it goes anywhere near it. Easier to just patch and move on.

    While technically true, it is faster to just reboot the server for modern VMs.
  11. Deebs

    Deebs Well-Known Member

    The actual bug was fixed in glibc in May, 2013. However many distros still push the affected versions but some distros are already on a version that has the bug fixed and therefore not vulnerable. (ie glibc 2.18 onwards are good)
  12. EQnoble

    EQnoble Well-Known Member

    MattW likes this.
  13. MattW

    MattW Well-Known Member

    eva2000 and EQnoble like this.
  14. EQnoble

    EQnoble Well-Known Member

    I inspected it with a local build on a vm and well, it was pretty damn handy with nice clean output with my green on black shell.

    Good read, Imahafta drop that in the ole pastebin (the one in my c: drive at home of course).
    MattW likes this.
  15. eva2000

    eva2000 Well-Known Member

    EQnoble and MattW like this.
  16. EQnoble

    EQnoble Well-Known Member

    I did it manually on one and tested this on the other, and in comparison one stood still and one was moving.
  17. MattW

    MattW Well-Known Member

  18. Brogan

    Brogan XenForo Moderator Staff Member

    What I got from that was, reboot the server anyway, just to be sure :D
  19. MattW

    MattW Well-Known Member

    If you are happy you know which services need to be restarted, the a reboot isn't required. But........it's probably quicker to reload for a lot of people.

    We aren't reloading out boxes at work, as a lot of them will need a manual FSCK performing due to their uptime, and will require remote hands and eyes.
    Xon likes this.

Share This Page