The GHOST in the Linux Machine? Busted
Page 1 of 1
There isn't all the much reason to be afraid of GHOST (gethostbyname) CVE-2015-0235 vulnerability in the open-source Linux GNU C LIbary (glibc) - is there?
The GHOST vulnerability was publicly disclosed (http://www.openwall.com/lists/oss-security/2015/01/27/9) by security vendor Qualys on an open-source security mailing list on January 27. While the vulnerability dis
"During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc)," the advisory warns. "This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability "GHOST".
While Qualys' disclosure about the vulnerability is new, and the flaw has shiny new CVE number too (CVE-2015-0235), by Qualys' own admission the bug was fixed on August 12, 2013 in the glibc-2.18 update.
So what's the problem?