Neither is any Linux system that has its security patches up
|
Author | Content |
---|---|
BFM Feb 18, 2016 11:50 PM EDT |
By the time something like this recent glibc problem hits these and other pages the bugs have been patched. We run Scientific Linux, Fedora, and Mint in our shop. They have all been patched. I get really tired of of people trying to move uninformed users to their favored solution because of problems that no longer exist. |
dotmatrix Feb 19, 2016 10:14 AM EDT |
I'm not so sure there weren't already problems. The bug affected DNS queries, and I've noticed plenty of oddities in DNS queries in the last few days. Perhaps some of those problems were related to the bug as 'bad actors' tried to compromise unpatched systems. Since much of the Internet runs GNU/Linux -- that's an awful lot of servers. And there are also an awful lot of GNU/Linux consumer grade routers that may be affected. Most of those routers will probably remain unpatched and continue to be affected. Be sure to watch for news items in the next year or so about consumer routers being compromised due to this bug. The bug may also serve as a wake up call to start rolling out DNSSEC. A full DNSSEC resolver would check the crypto signatures and 'null' the bug's effect. |
notbob Feb 19, 2016 11:22 AM EDT |
> The bug affected DNS queries, and I've noticed plenty of oddities in DNS queries in the last few days. Is that why I've been getting LXer's provider's website instead of the official LXer site? Heck, fer three days I though LXer let its domain name expire and the site was gone. What's up with that? |
seatex Feb 19, 2016 11:51 AM EDT |
> Heck, fer three days I though LXer let its domain name expire and the site was gone. Same here, and I thought the same thing. |
dotmatrix Feb 19, 2016 12:08 PM EDT |
This particular website is troublesome with DNS problems. Since there is no encryption, all login usernames and paswords are transmitted in clear text. This is not the best way to do things, but I only login from my own network so it's unlikely that there are too many snoopers capturing my login information. However, if the DNS records have been redirected for a few hours or so -- that very well could mean that many logins at Lxer are now compromised. I don't want to tell people how to do things, but Lxer should really be using TLS to protect login information. If there is a problem with using StartSSL certs, Lets Encrypt certs work to encrypt the traffic - and that would be a start. On the up side, it's likely that Lxer is not a big target for compromise. However, I definitely wouldn't recommend logging in here using a public unencrypted wifi connection. |
CFWhitman Feb 19, 2016 3:03 PM EDT |
"And there are also an awful lot of GNU/Linux consumer grade routers that may be affected. Most of those routers will probably remain unpatched and continue to be affected. Be sure to watch for news items in the next year or so about consumer routers being compromised due to this bug." The vast majority of Linux based consumer routers use either uClibc or musl rather than glibc and are thus unaffected by this bug. |
dotmatrix Feb 19, 2016 3:35 PM EDT |
Well... I didn't look carefully through the list, but here's Cisco's statement: Much of it looks like commercial product. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc |
JaseP Feb 19, 2016 5:42 PM EDT |
Yeah,... This bug only affected full blown GNU distros for the most part (including full distros used in commercial grade routing equipment). All embedded devices, including Android, were unaffected. It's once again "much ado about nothing." |
jdixon Feb 22, 2016 12:14 AM EDT |
Slackware's version of glibc isn't affected. There are sometimes advantages to not using the latest and greatest. |
CFWhitman Feb 22, 2016 3:01 PM EDT |
If you scroll down in the Cisco page to where it lists a chart of vulnerable products and hit "More..." it also gives a list of products confirmed not to be vulnerable, which is longer. By what you said I think you may have already noticed that the products listed as vulnerable are heavier duty products that do extra server or media related tasks, and thus use a heavier distribution of Linux which has glibc. That is, products aimed at businesses are more likely to have the vulnerability than consumer grade products (and, coincidentally, more likely to receive a patch). |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!