Which Ubuntu releases have fixes for CVE-2015-7547 ("Extremely Severe Bug" with libc getaddrinfo())? [duplicate]

Ars Technica posted an article describing the getaddrinfo() bug and how it is widespread in the Linux world.

The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware.

Source: http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

Question: In which general distribution versions of Ubuntu has this bug been fully addressed/corrected?


Like any security patch, it has been patched in all supported versions of Ubuntu. It's pushed through both the security and updates repos for desktop installations. You just need to update in your normal way. If you have automatic updates turned on, this should install automatically.

Like Kernel updates, libc updates usually require a reboot to fully take. However, weigh up how much risk you're actually at. To trigger this bug, an attacker essentially needs local network access —ie on your router or between you and your router— so while this has been talked up a lot, the risk of actual damage is still quite low for most people on their home networks. If you roam around on other networks, you're immediately in a higher risk bracket.

I don't know how Ubuntu Touch factors into standard update procedures.

http://www.ubuntu.com/usn/usn-2900-1/

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
    libc6 2.21-0ubuntu4.1 
Ubuntu 14.04 LTS:
    libc6 2.19-0ubuntu6.7 
Ubuntu 12.04 LTS:
    libc6 2.15-0ubuntu10.13 

16.04 (in development) will likely have a separate update come through the standard channel. Older, unsupported releases will remain vulnerable unless you patch them yourself.


Patched versions are available for all supported Ubuntu releases namely 12.04, 14.04 and 15.10.

The relevant patched versions are:

Ubuntu 15.10:
    libc6 2.21-0ubuntu4.1 
Ubuntu 14.04 LTS:
    libc6 2.19-0ubuntu6.7 
Ubuntu 12.04 LTS:
    libc6 2.15-0ubuntu10.13 

You just need to upgrade the libc6 package:

sudo apt-get update && sudo apt-get install libc6

Check: http://www.ubuntu.com/usn/usn-2900-1/


To check if your system is affected:

ldd --version

Affected versions will have an output like this:

ldd (Ubuntu EGLIBC 2.19-0ubuntu6.6) 2.19

To upgrade glibc run either:

sudo apt-get update && sudo apt-get install libc6 && sudo apt-get install libc-bin

or

sudo apt-get update && sudo apt-get upgrade

After this you must restart the services that depends upon glibc or best option is to reboot the box.

After this if you check again with:

ldd --version

The output should be like:

ldd (Ubuntu EGLIBC 2.19-0ubuntu6.7) 2.19