8

This vulnerability was found in glibc, see this hacker news post for more info.

As described in the debian bug tracker, the vulnerability was already patched in testing and unstable.

I'd like to patch it as early as possible, so is it possible to install the patched package from one of those versions and if yes, how can i do so?

twall
  • 183
  • 1
  • 5

5 Answers5

13

No, installing packages from the wrong distribution version is not safe. Despite that people seem to do it all the time (and usually break their systems in amusing ways). In particular glibc is the most critical package on the system; everything is built against it, and if its ABI is changed then everything would have to be rebuilt against it. You should not expect software built against one version of glibc to work when another version is present.

And anyway, this vulnerability has been around for over 14 years, and despite all the yelling and screaming about it, it requires a fairly narrow set of circumstances to exploit. Waiting a day or two for a proper patch isn't likely to be a problem.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
5

First of all, don't panic! The debian devs will release an updated package as soon as possible so all you have to do is to upgrade after the patch has been released. To find out if it has been released please don't run apt-get update every 5 minutes but subscribe to https://lists.debian.org/debian-security-announce/ and simply wait for the email to hit your inbox.

Han
  • 51
  • 2
1

The update for glibc is already available in security updates for debian 7. Check if security updates are enabled in sources.list. I am going to update my servers this evening.

remort
  • 11
  • 1
-2

Try this to install libc6:

sudo apt-get install libc6

then verify it:

apt-cache policy libc6

You may need to reboot your server after installing it.

Kevin Nguyen
  • 189
  • 1
  • 2
  • 8
-3

Turn off the UseDNS option in your SSHD config.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Any particular reason this was downwoted? Doesn't not help to mitigate ghost? – WooDzu Jan 28 '15 at 08:48
  • 2
    Too many packages might be affected by this bug, for example exim4 seems to be vulnerable to this issue. However, according to Qualys following packages are **not** vulnerable: `apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd` (http://seclists.org/oss-sec/2015/q1/283) – Tombart Jan 28 '15 at 12:10