Packages in question that need updating:
glibc-headers-2.12-1.149.shmz65.1.1.x86_64
glibc-devel-2.12-1.149.shmz65.1.1.x86_64
glibc-common-2.12-1.149.shmz65.1.1.x86_64
glibc-2.12-1.149.shmz65.1.1.x86_64
Upgrade to the 10.13.66 track and you will get glibc right from upstream RHEL. The SHMZ one was back in older version as upstream was not patching for a older vuln fast enough so we built our own.
Tony, I’m on 10.13.66 and nothing has shown up yet via yum update. I picked up updated glibc and other packages for another machine running Centos 7 this morning.
If I look at http://mirror.centos.org/centos/6.6 it appears that it has been deprecated in favour of 6.7 and is no longer receiving updates. The readme file in that folder reads:
This directory (and version of CentOS) is deprecated. For normal users,
you should use /6/ and not /6.6/ in your path. Please see this FAQ
concerning the CentOS release scheme:
https://wiki.centos.org/FAQ/General
If you know what you are doing, and absolutely want to remain at the 6.6
level, go to http://vault.centos.org/ for packages.
Please keep in mind that 6.0, 6.1, 6.2, 6.3, 6.4 , 6.5 and 6.6 no longer gets any updates, nor
any security fix's.
If I understand your post then the Distro is just picking up whatever updates are in the Centos system for 6.6. If 6.6 has been deprecated then does this mean that we won’t see any more updates from Centos and that this issue will remain unpatched?
Andrew,
Thanks for the reply. Do you have a timeframe for a 6.7 upgrade? I’d don’t like having unpatched vulnerabilities on production systems if I can help it.
Greg
Thanks for providing the updated glibc packages. My understanding is that many apps that were compiled with the vulnerable glibc versions will need to recompiled. Will those updated packages be back ported as well?
In a later post, Qualys researchers enumerated apps they believed were not vulnerable. The list included Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.
Thanks for correcting me. My information came from this article:
Some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library, a process that will take time as users wait for fixes to become available from hardware manufacturers and app developers.
The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.
What about an update for FreePBX 6.12.65, which appears to still be supported and offered for download? The glibc package here is glibc-2.12-1.149.shmz65.1.1.x86_64. Will those of us on the 6.12.65 track receive this security update?