A severe vulnerability recently uncovered in the widely-used GNU C Library (glibc) can cause severe security problems for websites if they don’t patch soon.
Ars Technica recently reported that the bug was introduced in 2008 in a function known as
getaddrinfo(), and affects all kinds of devices — not just web servers.
All versions of glibc after 2.9 are vulnerable to a buffer overflow bug that lets attackers remotely execute malicious code.
It can be exploited in a number of ways, such as when vulnerable devices or applications perform domain name lookups on attacker-controlled domains, or domain name servers.
Researchers have warned that tools such as SSH, sudo, wget, and curl are all known to be vulnerable.
Ars reported that one Linux-based platform that is not vulnerable is Android, with Google explaining that it uses a substitute for glibc called Bionic.
Hetzner servers patched
Hetzner has sent an alert to its custom hosting customers informing them about the vulnerability, and recommending that they reboot their servers.
All affected services on Hetzner’s managed server platform will be restarted without the servers themselves being rebooted.
This is in order to minimise the impact on customers, and is in line with Debian’s security advisory, Hetzner said.