# Status of GHOST vulnerability? CVE-2015-0235

## planet-admin

As noted all over the internet today:

http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/

http://www.openwall.com/lists/oss-security/2015/01/27/9

http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/

There is a significant vulnerability. While we know that Gentoo is a rolling release, it would be good to know exactly what version of glibc we can consider as having been safe if it or greater is installed. What is the official stance on this?

Thanks,

Michael

----------

## saellaven

>=sys-libs/glibc-2.18 is safe. 2.19-r1 is stable on all platforms except mips (where no glibc is stable)

----------

## P1neapple

So we are safe if we use 2.19-r1? Good.

----------

## titanofold

 *P1neapple wrote:*   

> So we are safe if we use 2.19-r1? Good.

 

You are safe if you're using 2.18 even.

----------

## depontius

 *titanofold wrote:*   

>  *P1neapple wrote:*   So we are safe if we use 2.19-r1? Good. 
> 
> You are safe if you're using 2.18 even.

 

Back in August I jumped from 2.17 to 2.19.  Someone else on Phoronix said that 2.19 actually became stable on July 29.

----------

## shanew

My impression, though, is that anything statically compiled with a vulnerable version of glibc will still be vulnerable regardless of the glibc version currently installed on your system.  Admittedly, statically compiled packages are probably pretty rare on a "normal" computer, but embedded systems or installs that need to squeeze into small footprints might be another story.

So, two questions:  1. Can someone confirm or deny my impression?  2. How would one go about finding statically linked binaries on a gentoo system?

```
equery h static
```

 seemed like a good start, but that only tells me whether a package has such a flag, not whether it's set.  

```
eix '-I*' -e --installed-with-use static --format '<installedversions:NAMEVERSION>'
```

 seems to be closer, but I wonder if I'm still missing something?

Oh, and I guess even with that I'd like a way to check what version of glibc it was compiled against, and I don't even know where to start with that.

----------

## grant123

Why isn't this here:

http://www.gentoo.org/security/en/glsa/index.xml

----------

## Hu

 *grant123 wrote:*   

> Why isn't this here:
> 
> http://www.gentoo.org/security/en/glsa/index.xml

 Since the most recent entry currently on that page is from December, perhaps the maintainer for that page simply has not had time to update it.  Also, as a rolling release distribution, any well maintained Gentoo system will already have upgraded to the fixed glibc version before the bug was announced as a security issue, so a GLSA is far less urgent than in the case of bugs like Heartbleed and Shellshock where the default configuration of an updated system was easily vulnerable at the time those bugs were announced.

----------

## F_

See the Gentoo vulnerability discussions here:

CVE-2013-7423

CVE-2015-0235

Best Regards,

F_

----------

