Critical Linux vulnerability, patch now

[Joe ODonnell]

A new security hole has been discovered in Linux that allows anyone to remotely take control of a system without knowing the username and password.

ITworld | January 27, 2015 

The discovery was made by Qualys, a cloud security company. The hole impacts any Linux system built with glibc-2.2 released on November 10, 2000. The vulnerability, called GHOST (CVE-2015-0235), is triggered by the gethostbyname function.

Actually there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.

http://www.itworld.com/article/2876098/linux-hit-by-critical-security-hole.html?phint=newt%3Ditworld_today&phint=idg_eid%3Dd02dce14f7d2a2b24a02f2b4ffd281a2#tk.ITWNLE_nlt_today_2015-01-28

http://www.openwall.com/lists/oss-security/2015/01/27/9

https://www.qualys.com/company/newsroom/news-releases/usa/2015-01-27-qualys-releases-security-advisory-ghost-vulnerability-linux-systems/?leadsource=23981072&mkt_tok=3RkMMJWWfF9wsRogvarNZKXonjHpfsX77%2BsuWaOg38431UFwdcjKPmjr1YYGScB0aPyQAgobGp5I5FEPQ7fYWa5pt6IJWQ%3D%3D

https://news.ycombinator.com/item?id=8953545