Here to spice up your Wednesday is a new ‘mega bug’ in Linux. The vulnerability potentially affects hundreds of thousands of Linux users and has the internet all of a bother. While it’s still in the early stages and it could well be a case of overegging the pudding (there isn’t even a cool name yet) there may be things you need to do to ensure you’re protected; here’s what you need to know.
CVE-2015-7547 is a flaw in the glibc library of commonly used open source code. It could potentially be exploited by attackers to gain remote access to devices like computers, ‘net routers, or other connected pieces of equipment. “Building blocks” of the web are also affected including programming languages like PHP and Python, plus systems used when logging in to sites or accessing email. Basically, a whole mess of things.
The Google Security team and Red Hat discovered the buffer overflow bug in the getaddrinfo() domain-name lookup function. If that sounds like cray tech talk to you then what you need to know is that a patch has been issued for it, and Windows and OS X aren’t affected and neither is Google’s Android mobile operating system, but be careful about smaller connected devices and a few others bits and pieces like Bitcoin software.
There’s quite a lot of info knocking about the internet about how this is potentially catastrophic and will probably come into your home, steal your firstborn, blow up a nuclear power plant and sass your mum, but it’s not quite that bad.
“It’s not a sky-is-falling scenario,” said Washington D.C-based security researcher Kenneth White. “But it’s true there’s a very real prospect that a sizable portion of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others.”
We’ve already emailed our clients and notified them that we‘re in the process of patching everyone; if you are one of our clients you’ll need to reboot to complete the process but we’ll send you a notification when the time is right.
Non-UKFasters – update your system when you can. The issue affects versions of glibc since 2.9 but they’re recommending updating all versions anyway.
If you have any concerns just give your account manager a call!