Ubuntu

Ghost security hole

Asked by William Pabon

Hi:
I recently read an article referring to the subject that affects systems running glibc-2.2 or earlier. The news said that Canonical patched all LTS releases back to 10.04. I checked my Ubuntu 12.04 LTS machine (32bit) by running in terminal(as instructed in the article):

williepabon@williepabon-VGN-N130G:~$ dpkg -l libc6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libc6 2.15-0ubuntu10 Embedded GNU C Library: Shared libraries
williepabon@williepabon-VGN-N130G:~$

Does this mean that the library in my machine is not patched yet? So, I ran a s/w update on my machine,

sudo apt-get update
sudo apt-get upgrade

After that, I rebooted and ran dpkg -l libc6 again, but got the same previous results. Please, advice. Thanks

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug

Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#2

I assume you are talking about CVE-2015-0235

If you look at http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0235.html you see, that the programs for Ubuntu have been updated.

Standard procedure for Ubuntu is not to update the whole package to the latest release, but to apply the relevant patches to the older version and only update the last digits of the version string.

What is the output of the terminal commands

uname -a
lsb_release -crid
dpkg -l | grep libc6

(please note that "dpkg -l libc6" cuts the version string after 14 digits, with "dpkg -l | grep libc6" you should see all characters)

Revision history for this message
William Pabon (williepabon) said : 		#3

Manfred:

Thanks for your answer! Yes, I'm referring to CVE-2015-0235 and running your expanded dpkg command, shows:

williepabon@williepabon-VGN-N130G:~$ dpkg -l | grep libc6
ii libc6 2.15-0ubuntu10.10 Embedded GNU C Library: Shared libraries
ii libc6-dev 2.15-0ubuntu10.10 Embedded GNU C Library: Development Libraries and Header Files

that the libraries in my machines were updated. Tanks again.

Revision history for this message
William Pabon (williepabon) said : 		#4

Thanks Manfred Hampl, that solved my question.