Join Log in
Score:8
avatar Ubuntu

How to update glibc on ubuntu 20.04 due to security vulnerability

de flag
lcfc

I am trying to update glibc 2.31-0ubuntu9.2. As an internal scan has picked this up as vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2021-33574#range-6777140

When I use sudo apt-get update then sudo apt install glibc I am getting nowhere with it.

Any ideas?

Thanks in advance.

759
0 + 0
gdb
Hannu avatar
ca flag
Hannu
Generally it is "a fairly bad idea" to try to update community built distributions (or part of them) on your own. You have to know quite a bit of the internal choices in the actual distribution, and I believe: match the compile-time options to those. Attempting to replace a package by compiling random source, albeit "the latest" and "older version already included" requires a good amount of knowledge.
0
Reply
de flag
lcfc
The issue we have is we are PCI compliant and one of the requirements is the carry out internal scans. These internal scans are picking up these sorts of vulnerabilities so we need to update them. Or we remove them but I worry about removing too much as you don't know what else needs this to run.
0
Reply
Hannu avatar
ca flag
Hannu
Well, then I see why you need to try; you probably have some kind of certification to keep up with.
0
Reply
user535733 avatar
cn flag
user535733
See the explanation of the vulnerability at https://ubuntu.com/security/CVE-2021-33574. It's low priority (so the patch may-or-may-not be backported). The worst case scenario seems to be that an attacker can cause a crash (not information release, not privilege escalation, not arbitrary code execution). It's unlikely to be used, since it's complex -- it requires other attacks to have already succeeded.
1
Reply
user535733 avatar
cn flag
user535733
Since it pops up on your PCI scan, I would be surprised if the CVE is ignored; it's possible that the same CVE will pop up on an Ubuntu Advantage customer's scan. If so, a Canonical engineer will eventually apply the patch. After suitable testing, the updated package will be pushed by the Ubuntu Security Team. However, if you want to wait for somebody else to do that backporting work for you (or to pay for the work), be prepared to be patient.
1
Reply
de flag
lcfc
It is Wazuh that is picking it up. I think how their system works is it uses the CVE database and this is why it is picking these sorts of vulnerabilities up.
0
Reply
Score:12
N0rbert avatar Ubuntu
zw flag
N0rbert

According to https://ubuntu.com/security/CVE-2021-33574 , https://launchpad.net/bugs/cve/CVE-2021-33574 and https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1927192 you have to wait when "Fix Committed" will become "Fix Released" for Ubuntu 20.04 LTS (Focal Fossa).

0 + 0
de flag
lcfc
Thanks for that. Very helpful. How did you find what exact bit within https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1927192. Reason I ask is I would like to compare this with other vulnerabilities I find and see if they are working on patching this up etc.
2
Reply
terdon avatar
cn flag
terdon
@lcfc If one of the answers here solved your issue, please take a moment and [accept it](//askubuntu.com/help/someone-answers) by clicking on the checkmark on the left. That is the best way to express your thanks on the Stack Exchange sites.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.