29 January 2015
We recently became aware of a critical glibc vulnerability, nicknamed GHOST. We have completed the patch to protect our systems but advise onsite Mingle customers to also protect themselves as soon as possible. You can read Qualys’s analysis of Ghost here.
GHOST (CVE-2015-0235) is a heap-based buffer overflow bug that affects glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. It affects all Linux systems dating back to 2000. Qualys found it back in May 21, 2013 (between glibc-2.17 and glibc-2.18) and wrote a patch, but because the vulnerability was not considered a security threat, “most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04.”
According to the Qualys blog, GHOST allows attackers to locally or “remotely take complete control of the victim system without having any prior knowledge of system credentials.”
Red Hat Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Qualys advisory https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt