# GHOST vulnerability

## ctcp

Hi, when i run the following command:

```
ldd --version
```

I see that my version of Libc is 2.3.6

```
ldd (GNU libc) 2.3.6

Copyright (C) 2005 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Roland McGrath and Ulrich Drepper.
```

Is this version vulnerable?. And... if this is vulnerable, i do i fix it?

Edit:

My Gentoo version is:

```
Gentoo Base System version 1.6.14
```

Thanks.

----------

## F_

You should be fine. Take a look at the following bug list entries:

CVE-2013-7423

CVE-2015-0235

Versions prior to 2.20 are vulnerable to this issue.

Best Regards,

F_

----------

## Jaglover

I wouldn't say ctcp is fine. The box he is referring to seems to be severely out of date. Which means lots of unpatched vulnerabilities.

----------

## eccerr0r

If you have app-portage/gentoolkit installed,

```
$ glsa-check -l affected
```

But yes an almost 10 year old box there are probably a lot of potential issues... and also a candidate for fresh reinstall...

----------

## ctcp

This is the result:

```
 # glsa-check -l affected

!!! /etc/make.profile is not a symlink and will probably prevent most merges.

!!! It should point into a profile within /usr/portage/profiles/

!!! (You can safely ignore this message when syncing. It's harmless.)

Traceback (most recent call last):

  File "/usr/bin/glsa-check", line 148, in ?

    myglsa = Glsa(x, glsaconfig)

  File "/usr/lib/gentoolkit/pym/glsa.py", line 414, in __init__

    self.read()

  File "/usr/lib/gentoolkit/pym/glsa.py", line 432, in read

    self.parse(urllib.urlopen(myurl))

  File "/usr/lib/gentoolkit/pym/glsa.py", line 470, in parse

    self.description = getText(myroot.getElementsByTagName("description")[0], fo                    rmat="xml")

  File "/usr/lib/gentoolkit/pym/glsa.py", line 233, in getText

    return str(rValue)

UnicodeEncodeError: 'ascii' codec can't encode character u'\u2019' in position 8                    : ordinal not in range(128)

```

----------

## eccerr0r

You need to emerge --sync before running glsa-check.  And hope that the out of date components still work...

Also need to fix your make.profile link since it appears your old profile has now been deleted?  eselect profile list; eselect profile set XYZ ...

----------

## Ant P.

GHOST is the least of your problems right now.

----------

## Jaglover

Alright, lets spell it out. 

Unless you want all the fun of fractional upgrades (you really must know what you are doing) the only alternative is backing up your configuration and re-installing.

----------

## eccerr0r

 *Ant P. wrote:*   

> GHOST is the least of your problems right now.

 

I'm sure he'll finally notice the hole he dug and freak out when he sees glsa-check return pages upon pages of vulnerabilities  :Very Happy: 

----------

## F_

 *F_ wrote:*   

> You should be fine. Take a look at the following bug list entries:
> 
> CVE-2013-7423
> 
> CVE-2015-0235
> ...

 

Wow -- I totally missed that he was running 2.3..... not 2.30. Yeah, ctcp, you're definitely going to have to upgrade because you are about 27 versions of glibc behind.

----------

