Menu
What's new
By:
Filters Better Search

Extremely severe bug leaves dizzying number of software and devices vulnerable

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Only effects glibc (>= 2.9) which Asus don't use AFAIK. I think Asus use uClibc.
 
Last edited:
glibc is rarely used in routers and other embedded devices, because it has a pretty high memory footprint. Most of these use uclibc and musl instead.
 
Still worthwhile to check backend services if one is port-forwarding hosts (or VPN connections).

Patches are already out for most major linux distributions - which will be a bit disruptive for some, as it's a reboot event - concern here is the same as what we saw with the old Ghost glibc bug for apps that static link (e.g. built in, rather than using the system level c library.)
 
sfx2000 said:
Still worthwhile to check backend services if one is port-forwarding hosts (or VPN connections).

Patches are already out for most major linux distributions - which will be a bit disruptive for some, as it's a reboot event - concern here is the same as what we saw with the old Ghost glibc bug for apps that static link (e.g. built in, rather than using the system level c library.)
Click to expand...


for those looking for instructions/tips on how to check/update your servers, see the link below:
http://www.cyberciti.biz/faq/linux-...libc-getaddrinfo-stack-based-buffer-overflow/
That is a nice linux site with a newsletter if you want to subscribe (once a week or so). I would agree that most actual devices (ie, not servers/pcs/virtual machines) are using the smaller custom versions of glibc so shouldnt be a concern for most "devices". if you read the ars article (big fan of that site too), smartphones (android or apple) also use smaller or custom versions of the library and are not affected.
 
It's localized to glibc for now... uClibc/Bionic/libc/musl - they're all good - for now - but one knows that folks will start banging on the alt libs just the same for their 10 seconds of fame...

the bug has actually been implemented for a long time - not much different than the GHOST bug from some time back...

Most small footprint distros - not much impact, again, because the system level C-Lib isn't glibc - it's the closed source binaries that might statically link them... and for systems that did implement the GNU C Library, well, the fix is a bit painful, as it can be not just one package, but up to 6 at last count - and a reboot to clear out the old packages - ShellShock and Heartbleed were easier to deal with...
 
EdgeOS seems affected. ER-Lite and ER-X users might want to watch out. ubnt is speedy in response though. Patches already available. More details here.

I wonder if Entware-ng is affected as it's using glibc for anything but mips..
 
You must log in or register to reply here.

Similar threads

torstein
Avoid Consumer Routers
2
Replies
39
Views
7K
netware5
netware5
T
Glibc
Replies
6
Views
2K
zyxmon
Z
Kris404
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
Replies
1
Views
2K
RMerlin
RMerlin
Q
A few points of clarification on ASUS Security issues
Replies
2
Views
3K
netware5
netware5

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 648 (members: 17, guests: 631)
Top