How to Patch Linux Systems to Protect Against the GHOST Vulnerability

Bob Cromwell, the other security author on this blog, wrote about the GHOST vulnerability in the Linux glibc library. He explained what glibc (“the C library”) is and about the origin of the GHOST vulnerability. He ended with, “Patches are easy to check and easy to apply, so keep your servers safe!” Since I updated a system’s glibc when the issue was announced, I’d like to share with you just how easy the patch is to apply.

There two common flavors of package management in Linux systems: apt-get and yum. Yes, there are others sych as zipper for SUSE Linux Enterprise Server, but these are the most common. One can also update packages with GUI tools. Since the system I updated the other week was CentOS, I used yum, the “Yellowdog Updater Modified”. I could have used RPM, but yum is easy. As Bob promised the update was simple. I typed

sudo yum clean all
sudo yum update glibc

and the old glibc was replaced with the new, updated one. I did have to reboot afterwards so programs that were using the old version would use the new version when the system restarted.

I then tested the update to ensure it was completed correctly:

sudo rpm -q --changelog glibc | grep CVE-2015

This test looks through the system list of changes made by rpm (or via yum) for changes related to CVE-2015: any vulnerabilities listed in the CVE (Common Vulnerabilities and Exposures) list in 2015. It found the GHOST fix which is CVE-2015-0235:

- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533)

 

So it appears the update was indeed installed.

On my Ubuntu VM I used apt-get:

First I had to do

sudo apt-get update

This updated the database of what packages needed to be updated. Since I hadn’t updated this VM in a while as I seldom use that VM, there were a lot of updates to perform (as a popup told me). I then went to update the glibc library with

sudo apt-get upgrade

Note that I had to do both update to update the list of available packages and dependencies and upgrade to actually upgrade all the packages on the system needing upgrading.

Keeping system software up-to-date is important and the yum and apt-get tools make that easy. If you get behind as I sometimes do, there may be lots of updates and they may take a lot of time to install. Some, of course, are functionality improvements and some are security updates. The latter are important to install as soon as practical. Be aware that some updates occasionally break applications. As we mention in Learning Tree’s System and Network Security Introduction you should test patches on non-production systems first to avoid issues and potential failures on production systems.

To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.