2

Due to the recent GHOST vulnerability I was trying to upgrade the glibc version on our RHEL4.

The command I tried using was: rpm -Uvh glibc-2.3.4-2.57.x86_64.rpm

Result was: [root@rhel4-test ~]# rpm -Uvh glibc-2.3.4-2.57.i686.rpm warning: glibc-2.3.4-2.57.i686.rpm: V3 DSA signature: NOKEY, key ID db42a60e Preparing... ########################################### [100%] package glibc-2.3.4-2.57 is already installed

The changelog on the RedHat support site seems pretty old although the version matches.

Has anyone managed to upgrade RHEL4 against GHOST (CVE-2015-0235) vulnerability?

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Yaron
  • 181
  • 1
  • 10

8 Answers8

6

RHEL 4 is in what Red Hat calls Extended Life Phase.

...For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No security fixes, bug fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.

You can buy an Extended Life Cycle Support (ELS) subscription add-on for extended support.

Available during the Extended Life Phase of the product life cycle for Red Hat Enterprise Linux 4 and 5,the Extended Life Cycle Support Add-On delivers critical-impact security fixes and selected urgent-priority bug fixes that are available and qualified for the latest versions of a published subset of packages in a specific major release of Red Hat Enterprise Linux after the end of the Production 3 Phase.

If you have an ELS subscription so there is an update available as RHSA-2015:0101-1.

Your RHEL 4 system needs to subscribed to the correct channels in the RHN portal or with your Satellite server and then you run up2date -u glibc.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • I have that subscription, still can't find it, this machine is not connected to the internet so I can't use the command provided. (No Satellite as well) – Yaron Jan 29 '15 at 13:25
  • 3
    Then contact Red Hat support. I don't have any ELS subscriptions active in my account for RHN classic, but you should be able to browse the ELS channel and download packages manually IIRC. [This](https://access.redhat.com/documentation/en-US/Red_Hat_Network/5.0.0/html/Reference_Guide/s1-sm-channels-packages.html) looks like what I remember RHN classic looking like. There should be an ELS child channel under RHEL4 I recon. – HBruijn Jan 29 '15 at 13:39
3

Sasha has it almost right, and since I can't comment I'll post this as a standalone answer.

Ignoring dependency errors is a Very Bad Idea™. It's also unnecessary in this case since there's an updated version of nscd to go along with glibc.

The patched glibc packages are indeed available from Oracle, and I've confirmed that installing them patches the GHOST vulnerability. I suggest downloading all packages related to the patched glibc, then upgrading only ones that are already installed on your system with RPM freshen.

For 32 bit:

wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-2.3.4-2.57.0.1.el4.1.i686.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-common-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-devel-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-headers-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-profile-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-utils-2.3.4-2.57.0.1.el4.1.i386.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/nscd-2.3.4-2.57.0.1.el4.1.i386.rpm

sudo rpm -Fvh *.rpm

For 64 bit:

wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-2.3.4-2.57.0.1.el4.1.i686.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-common-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-devel-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-headers-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-profile-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-utils-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/nscd-2.3.4-2.57.0.1.el4.1.x86_64.rpm

sudo rpm -Fvh *.rpm

Afterwards, restart any running services that use glibc. You can get a list of these by running lsof | grep libc | awk '{print $1}' | sort | uniq. Depending on your situation, it's probably easier to simply restart the whole server.

2

If you do not have RHEL subscription, Oracle was kind enough to release updated packages for your old RH4 box.

For both (i386 and X86_64) systems do:

mkdir glibc2015
cd glibc2015

For i386 system do (Note, I had to replace http with h**p to avoid spam filters here.) :

wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-2.3.4-2.57.0.1.el4.1.i686.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-common-2.3.4-2.57.0.1.el4.1.i386.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-devel-2.3.4-2.57.0.1.el4.1.i386.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/getPackage/glibc-headers-2.3.4-2.57.0.1.el4.1.i386.rpm

For X86_64 system do:

wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-2.3.4-2.57.0.1.el4.1.i686.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-common-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-common-2.3.4-2.57.x86_64.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-devel-2.3.4-2.57.0.1.el4.1.x86_64.rpm
wget h**p://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/getPackage/glibc-headers-2.3.4-2.57.0.1.el4.1.x86_64.rpm

For all systems:

rpm -Uvh glibc*rpm

If you get an error about nscd depending on glibc, it is is OK to do:

rpm -Uvh glibc*rpm --nodeps

Remember to restart all network aware services after the update. If you are unsure which services, it might not hurt just to restart the server.

Sasha
  • 33
  • 1
  • 5
0

There is a patch, the RPM should be glibc-2.3.4-2.57.el4.2.i686.rpm.
See: https://rhn.redhat.com/errata/RHSA-2015-0101.html

faker
  • 17,326
  • 2
  • 60
  • 69
0

I have found in the past there have been viable options for building RHEL4 packages using the source found in Oracle Linux releases. https://oss.oracle.com/el4/SRPMS-updates/?C=M;O=D Just in case you can't make RHN work. You may have to wait a little while (couple of days) for a new src.rpm to show up.

Dave
  • 1
0

I have mirrored RPMs at http://users.axess.com/rickm/glibc for el4.

Note: I am just mirroring them for someone in Brazil. The full source and spec file is available if you don't trust them.

Tested so Far on Centos 4.6 and 4.9

Rebooted cleanly and reported as not vulnerable.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
0

Most servers I have run across aren't actually running nscd.

ps ax | grep nscd

Or chkconfig --list nscd

If both of those show that it isn't running it is safe to do a yum remove nscd (and nss_ldap) and then rpm -Uv glibc-*

I'm just a mirror, I did not create the RPMs.

Edit: I just looked and Oracle Linux has indeed updated their repo today. Better off to use theirs instead. See the above post on where to get it.

Regards,

Rick