Sunday, October 24, 2010

Another glibc vulnerability

Last week, all Linux vendors were busy with glibc vulnerability that struck them after Tavis Ormandy published a report along with the working exploits. The patch were released quickly as it is considered a critical hole and people feel safe about it.

But hear this out. The saga is not yet over, as Tavis pointed that there might be another vulnerability that relates to the previous one. This is discussed on this thread. I think another fix will be released next week.

Another vulnerability that struck Linux is RDS Exploit reported by Dan Rosenberg. This fix has been included in the Linux Kernel committed by Linus, but i think it will be backported into -Stable kernel by Greg in the short time.

I tried this exploit few days ago on my Slackware box and it failed. I thought i got the wrong exploit, but evidently it's working on Ubuntu, OpenSUSE, and Fedora. Please be ready to hear an advisory from your vendors next week Rolling