Researchers have discovered a critical vulnerability in the GNU C library, glibc, that could put modern Unix-based systems, including Linux servers, Android and iOS smartphones, and a slew of networking gear, at risk for remote code execution attacks. API Web services and major Web frameworks like Rails, PHP, and Python are also affected.
The vulnerability (CVE 2015-7547), a stack-based buffer overflow in the getaddrinfo() function in the glibc DNS client-side resolver, has already been patched. Anyone using glibc 2.9 and later — since 2.9 was released in May 2008, that means pretty much anyone using glibc — should patch as soon as possible. Red Hat Enterprise Linux 5 has glibc 2.5, so it isn’t vulnerable, but Red Hat Enterprise Linux 6 (glibc 2.12), Red Hat Enterprise Linux 7 (glibc 2.17), Debian squeeze (glibc 2.11), Debian wheezy (glibc 2.13), and Debian jessie (glibc 2.19) are all affected.
Submitted by: Arnfried Walbrecht