Ubuntu – Which Ubuntu releases have fixes for CVE-2015-7547 (“Extremely Severe Bug” with libc getaddrinfo())?


Ars Technica posted an article describing the getaddrinfo() bug and how it is widespread in the Linux world.

The vulnerability was introduced in 2008 in GNU C Library, a collection of open
source code that powers thousands of standalone applications and most
distributions of Linux, including those distributed with routers and other
types of hardware.

Source: http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

Question: In which general distribution versions of Ubuntu has this bug been fully addressed/corrected?

Best Answer

  • Like any security patch, it has been patched in all supported versions of Ubuntu. It's pushed through both the security and updates repos for desktop installations. You just need to update in your normal way. If you have automatic updates turned on, this should install automatically.

    Like Kernel updates, libc updates usually require a reboot to fully take. However, weigh up how much risk you're actually at. To trigger this bug, an attacker essentially needs local network access —ie on your router or between you and your router— so while this has been talked up a lot, the risk of actual damage is still quite low for most people on their home networks. If you roam around on other networks, you're immediately in a higher risk bracket.

    I don't know how Ubuntu Touch factors into standard update procedures.


    The problem can be corrected by updating your system to the following package version:
    Ubuntu 15.10:
        libc6 2.21-0ubuntu4.1 
    Ubuntu 14.04 LTS:
        libc6 2.19-0ubuntu6.7 
    Ubuntu 12.04 LTS:
        libc6 2.15-0ubuntu10.13 

    16.04 (in development) will likely have a separate update come through the standard channel. Older, unsupported releases will remain vulnerable unless you patch them yourself.

  • Related Question