11 Oct
2023
11 Oct
'23
6:36 a.m.
On 10/10/2023 21:58, Jamie MacIsaac via BitFolk Users wrote:
Apologies for exposing my ignorance in public like
this, but can somebody tell me how I'd know if my Debian Bookworm system has been
patched to ensure it's no longer vulnerable to the "Looney Tunables"
privilege escalation (https://www.debian.org/security/2023/dsa-5514)?
The fix is apparently in the most recent glibc source package. I don't seem to have
that glibc package installed (and it's a source package, not a binary?), but I read
that stock installs of Debian (and most linuxes) are vulnerable. Which actual binary
packages need to be updated to fix the vulnerability in the dynamic loader, and how does
this relate to the source package?
Hello Jamie.
Good Linux communities are always open to questions and providing help.
According to https://security-tracker.debian.org/tracker/CVE-2023-4911
this is fixed in the security release 2.36-9+deb12u3.
Make sure that you have the following line in /etc/apt/sources.list, or
in a file with a .list extension within the sources.list.d directory:
deb http://security.debian.org/debian-security bookworm-security
main contrib non-free non-free-firmware
Run `apt update` and then `apt upgrade` and this should get that update
if you don't have it already.
As you saw, glibc-source is a source package which you are unlikely to
have unless you compile executables on that machine, and so I think the
main package you need to check is *libc-bin* (edit: and *libc6*).
To see what version you are running run `apt show libc-bin` (and repeat
for libc6) and look at the 'Version' line.
In my case I'm still on Bullseye, but checking the package changelog
confirms that the version I have has been patched. The Bookworm
changelog is at
https://metadata.ftp-master.debian.org/changelogs/main/g/glibc/glibc_2.36-9…
Gavin