While it is only necessary to ensure that all processes are not using
the old glibc anymore, it is recommended to reboot the machines after
applying the security upgrade.
On Debian there is also the tool checkrestart available, it is part of the debian-goodies package. This might be useful if a reboot is (currently) not possible.
apt-get install debian-goodies
Then you can run:
checkrestart
And it will list services which require a restart. For example:
service sudo restart
service ssh restart
service cron restart
service ...
On Debian 8 (Jessie) i had to restart the systemd services as well:
Just out of interest: How is this classified medium by Ubuntu? If someone manages to bypass ASLR this is a remote exploit on every SSH server running glibc out there? Or did I misunderstood something?
Out of the box SSH seems to use getaddrinfo:
reverse mapping checking getaddrinfo for <host> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!
Does "DNE" mean there's no patch coming at all, or none yet? What about pending?
Also, why is all this important and useful information scattered all over the place? Ubuntu people, if you're reading, on this page: http://packages.ubuntu.com/trusty/libc6 I think you should have a history of updates to the package, and which security vulnerabilities it covers, with a link back to the above linked page. Looking at this page, looking at my system, looking at the news, I kind of have no idea what's going on.
I was going to complain that this people.canonical.com CVE page should also be linked from some sort of Ubuntu security bulletin, but I googled first and found that that's exactly where it's linked from. Still, I somehow reckon I would have never thought of that if not for this conversation. It should perhaps be linked from the packages page, though I'm not a UX guy, maybe that would just add confusion. But, this CVE page, with the domain "people.canonical.com", linking to launchpad pages, it doesn't look like it's made for users. You could make some improvements to make it more user friendly like the packages page. You could make it explicit: "Here's the packages you need to upgrade. here's the command to run to upgrade your whole system. Here's the command to upgrade just this package." As it stands, this doesn't even tell you what binary packages to get (libc6, I think? I'm still not even sure!), this just lists the source package (glibc). And, change "DNE" and "pending" to indicators that are more clear to us. Or, make a new page if this one is not meant for users.
For security stuff (not just Ubuntu by any means), all sorts of useful information is scattered all over the place. To name a few questions that I never determined clear answers to:
* What about this Android MMS attack that was supposed to be catastrophic and so easy to mount, that supposedly like half of all Android users are still vulnerable to? We've not heard of a single actual exploit in the wild. Where's some sort of official source downgrading its severity?
* If the libpng thing was such a fiasco, why were there no updates in Ubuntu for so long? Did it turn out not to be such a serious attack vector? Where's the documentation on that determination?
* For heartbleed: I recall having to poke around looking at the "built on" date for my openssl packages to see whether I was upgraded or not. That's not an acceptable state of affairs.
I'm not looking for answers to these particular questions now, I'm just wondering, why do we all have to rely on rumors and advice from random people in discussion forums for this stuff? There's a recent trend of understanding that improved UX can improve security (Signal, etc). Here's a good place to make some improvements, IMHO.
Sorry if I've come off as entitled here, it's just a source of irritation to me.
No, they were talking about marking glibc-2.22 as stable i.e., removing the tilde from the arches in the KEYWORDS of the ebuild.
glibc-2.22-r2 was released at the same time as glibc-2.21-r2 and it contains the fix for this issue. The Changelog merely says "misc upstream fixes" but I verified the relevant changes are there.
RHEL6 - https://rhn.redhat.com/errata/RHSA-2016-0175.html - update to glibc-2.12-1.166.el6_7.7.x86_64.rpm
RHEL7 - https://rhn.redhat.com/errata/RHSA-2016-0176.html - update to glibc-2.17-106.el7_2.4.x86_64.rpm
Debian - https://security-tracker.debian.org/tracker/CVE-2015-7547 Use "aptitude show libc6" - needs to be 2.19-18+deb8u3 (jessie), 2.21-8 (sid)
Ubuntu - http://people.canonical.com/~ubuntu-security/cve/2015/CVE-20...
SUSE - https://www.suse.com/security/cve/CVE-2015-7547.html
Interesting to note this tip:
While it is only necessary to ensure that all processes are not using the old glibc anymore, it is recommended to reboot the machines after applying the security upgrade.
From - https://lists.debian.org/debian-security-announce/2016/msg00...
Therefore at the very least you will need to restart anything which depends on glibc. This should give you a list of packages: