For Linux users (patch now!) | Cakewalk Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes

Cakewalk
- Products
- Support

Mark Thread UnreadFlat Reading Mode ❐

For Linux users (patch now!)

Author Post Essentials Only Full Version
TheMaartian Max Output Level: -47.5 dBFS Total Posts : 2774 Joined: 2015/05/21 18:30:52 Location: Flagstaff, AZ Status: offline 2016/02/17 08:20:14 (permalink) For Linux users (patch now!) From ZDNet this morning (17 Feb): Patch Linux now, Google, Red Hat warn, over critical glibc bug Google has disclosed details of an open-source bug in the GNU C Library affecting a large number of Linux distributions, software and devices. Google and Red Hat have linked up to deliver a patch for a serious bug in the GNU C Library, or glibc, which is widely used in Linux applications, distributions and devices. Anyone running a Linux server is likely to need to install the jointly-developed patch that fixes a critical flaw in the getaddrinfo function in glibc. The vulnerability had until recently gone unnoticed but was actually introduced in version 2.9 of the open-source library, which was released in May 2008. Google has detailed that the bug is a stack buffer overflow flaw in the function, which can be remotely exploited by causing a machine to run a DNS lookup and delivering a response in the form of UDP or TCP packets that exceed 2,048 bytes. Google engineers said any software using getaddrinfo, "May be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack". Like previous open-source bugs, this one also affects a large number of Linux distributions, software and devices. "Pretty much any Linux system uses glibc, and getaddrinfo is typically used to resolve IP addresses. Which means Linux servers as well as workstations, are vulnerable unless it runs an old version of glibc (pre 2.9)," noted Johannes Ullrich, CTO of the SANS Internet Storm Center. Ullrich initially believed Android devices are probably also affected by the bug. However, security researcher Kenn White has since pointed out Google opted for the glibc alternative Bionic C software for Android. White also said there is a possibility that CentOS, Oracle, and Amazon Linux may be vulnerable to the glibc vulnerability. Although Google engineers discovered the flaw independently, when they began assessing it they discovered the issue had been previously reported to glibc's maintainers and that engineers at Red Hat were also investigating the issue. The two companies collaborated on the development and testing of the patch that was released on Tuesday. Red Hat has confirmed that affected products include multiple versions of RHEL server, workstation and desktop products. Google has developed exploit code for the flaw but is not making that software publicly available. However, it has published a proof of concept that can be used to test if systems are vulnerable. "When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril," Google's engineers said. They also noted that while remote code execution is possible, it would still require bypassing exploit mitigations such as address-space layout randomization. post edited by TheMaartian - 2016/02/17 08:34:43 Intel i7 3.4GHz, 16 GB RAM, 2 TB HD Win10 Home 64-bit Tascam US-16x08 Studio One 4 Pro Notion 6 Melodyne 4 Studio Acoustica 7 Guitar Pro 7 PreSonus FaderPort Nektar P6 M-Audio BX8 D2 Beyerdynamic DT 880 Pro NI K9U XLN AK, AD2 AAS VS-2, GS-2, VA-2, EP-4, CP-2, OD Toontrack SD3, EZK #1 3 Replies Related Threads
azslow3 Max Output Level: -42.5 dBFS Total Posts : 3297 Joined: 2012/06/22 19:27:51 Location: Germany Status: offline Re: For Linux users (patch now!) 2016/02/17 09:57:08 (permalink) That is "very important" bug for end users, taking into account that all following conditions should be satisfied to see any effect of it: a) you should visit some site which intensionally has the exploit code on its domain DNS. So, that is going to be some "bad" Internet provider (end users can not have DNS servers), with known (real) name and address registered in common world DNS system (so you can imagine how long it can run such "service" till it is banned globally). b) you should either use local resolver directly without you Internet provider service as proxy (which you never should do) or your Internet provider proxy allows exploit delivery c) "bad man" should have luck may be more then wining $1M in lotto to run really run something bad on your computer instead of crashing your Firefox... PS. That is just my personal opinion Sonar 8LE -> Platinum infinity, REAPER, Windows 10 pro GA-EP35-DS3L, E7500, 4GB, GTX 1050 Ti, 2x500GB RME Babyface Pro (M-Audio Audiophile Firewire/410, VS-20), Kawai CN43, TD-11, Roland A500S, Akai MPK Mini, Keystation Pro, etc. www.azslow.com - Control Surface Integration Platform for SONAR, ReaCWP, AOSC and other accessibility tools #2
clintmartin Max Output Level: -36.5 dBFS Total Posts : 3893 Joined: 2009/10/11 12:16:43 Location: Fort Smith, AR Status: offline Re: For Linux users (patch now!) 2016/02/18 08:13:02 (permalink) I wonder if this is why my Fedora 23 laptop keeps crashing? Cakewalk, Harrison Mixbus 4, Waveform 9, ADK intel i7 2600 3.40 ghz, 8gb Ram, Win 7, Presonus Audiobox 44VSL. http://www.youtube.com/c/clintmartinmusic https://itunes.apple.com/...lint-martin/1010966023 https://open.spotify.com/artist/4x4TBz32i56bTJkgu7b4tN #3
azslow3 Max Output Level: -42.5 dBFS Total Posts : 3297 Joined: 2012/06/22 19:27:51 Location: Germany Status: offline Re: For Linux users (patch now!) 2016/02/18 10:55:36 (permalink) clintmartin I wonder if this is why my Fedora 23 laptop keeps crashing? If only network applications crash when accessing specific domain, that it can be. Otherwise unlikely. By the way, it looks like I am alone thinking that is not really critical... Many 10000 computers only in HE Physic network are going to be rebooted tomorrow morning to install the patch Sonar 8LE -> Platinum infinity, REAPER, Windows 10 pro GA-EP35-DS3L, E7500, 4GB, GTX 1050 Ti, 2x500GB RME Babyface Pro (M-Audio Audiophile Firewire/410, VS-20), Kawai CN43, TD-11, Roland A500S, Akai MPK Mini, Keystation Pro, etc. www.azslow.com - Control Surface Integration Platform for SONAR, ReaCWP, AOSC and other accessibility tools #4

Jump to:

© 2024 APG vNext Commercial Version 5.1