New GHOST Scaring Linux Users
The top story today is the news that a major security vulnerability has existed in glibc (C libraries) since version 2.2. In other news, Charles H. Schulz previews LibreOffice 4.4 and Bruce Byfield looks at the state of Linux desktops. Speaking of desktops, KDE announced Plasma 5.2 saying it "adds a number of new components, many new features and many more bugfixes."
A new vulnerability was disclosed today effecting a lot of Linux systems according to security audit firm Qualys, Inc. The flaw, dubbed GHOST because it calls GetHost, in glibc 2.2 through 2.17 allows an attacker to create a buffer overflow that then can be used to take over machines. Debian, Red Hat, and Ubuntu are reported as among those with updates available. Major distributions were advised of the flaw some time ago and have been working with Qualys to patch.
While the exploit wasn't as widespread as it might have been, Qualys said the fix that was made in May 2013 wasn't listed as a security update, so many long term distribution versions hadn't made the switch until advised of the problem. The vulnerability exploited calls that aren't used much anymore according to Qualys, but Steven J. Vaughan-Nichols writing on the subject today said, "My advice to you is to now, not later today, now, update your Linux system since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd."