glibc ライブラリの脆弱性 (CVE-2015-7547) に関する注意喚起
https://www.jpcert.or.jp/at/2016/at160009.html
ALAS-2016-653
https://alas.aws.amazon.com/ALAS-2016-653.html
バージョンアップ方法は、パッチがリリースされていますので、yum updateするだけです。
[ec2-user@ip-10-0-0-187 ~]$ sudo yum list installed | grep glibc
glibc.x86_64 2.17-106.163.amzn1 @amzn-updates
glibc-common.x86_64 2.17-106.163.amzn1 @amzn-updates
glibc-devel.x86_64 2.17-106.163.amzn1 @amzn-updates
glibc-headers.x86_64 2.17-106.163.amzn1 @amzn-updates
[ec2-user@ip-10-0-0-187 ~]$ date
Thu Feb 18 02:03:20 UTC 2016
[ec2-user@ip-10-0-0-187 ~]$ sudo yum update glibc
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main/latest | 2.1 kB 00:00
amzn-updates/latest | 2.3 kB 00:00
zabbix/x86_64 | 951 B 00:00
zabbix-non-supported/x86_64 | 951 B 00:00
10 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package glibc.x86_64 0:2.17-106.163.amzn1 will be updated
--> Processing Dependency: glibc(x86-64) = 2.17-106.163.amzn1 for package: glibc-common-2.17-106.163.amzn1.x86_64
--> Processing Dependency: glibc(x86-64) = 2.17-106.163.amzn1 for package: glibc-headers-2.17-106.163.amzn1.x86_64
--> Processing Dependency: glibc(x86-64) = 2.17-106.163.amzn1 for package: glibc-devel-2.17-106.163.amzn1.x86_64
---> Package glibc.x86_64 0:2.17-106.166.amzn1 will be an update
--> Running transaction check
---> Package glibc-common.x86_64 0:2.17-106.163.amzn1 will be updated
---> Package glibc-common.x86_64 0:2.17-106.166.amzn1 will be an update
---> Package glibc-devel.x86_64 0:2.17-106.163.amzn1 will be updated
---> Package glibc-devel.x86_64 0:2.17-106.166.amzn1 will be an update
---> Package glibc-headers.x86_64 0:2.17-106.163.amzn1 will be updated
---> Package glibc-headers.x86_64 0:2.17-106.166.amzn1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================================
Updating:
glibc x86_64 2.17-106.166.amzn1 amzn-updates 5.7 M
Updating for dependencies:
glibc-common x86_64 2.17-106.166.amzn1 amzn-updates 28 M
glibc-devel x86_64 2.17-106.166.amzn1 amzn-updates 1.1 M
glibc-headers x86_64 2.17-106.166.amzn1 amzn-updates 735 k
Transaction Summary
======================================================================================================================================================
Upgrade 1 Package (+3 Dependent packages)
Total download size: 35 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): glibc-2.17-106.166.amzn1.x86_64.rpm | 5.7 MB 00:00
(2/4): glibc-common-2.17-106.166.amzn1.x86_64.rpm | 28 MB 00:00
(3/4): glibc-devel-2.17-106.166.amzn1.x86_64.rpm | 1.1 MB 00:00
(4/4): glibc-headers-2.17-106.166.amzn1.x86_64.rpm | 735 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------
Total 31 MB/s | 35 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : glibc-2.17-106.166.amzn1.x86_64 1/8
Updating : glibc-common-2.17-106.166.amzn1.x86_64 2/8
Updating : glibc-headers-2.17-106.166.amzn1.x86_64 3/8
Updating : glibc-devel-2.17-106.166.amzn1.x86_64 4/8
Cleanup : glibc-devel-2.17-106.163.amzn1.x86_64 5/8
Cleanup : glibc-headers-2.17-106.163.amzn1.x86_64 6/8
Cleanup : glibc-common-2.17-106.163.amzn1.x86_64 7/8
Cleanup : glibc-2.17-106.163.amzn1.x86_64 8/8
Verifying : glibc-headers-2.17-106.166.amzn1.x86_64 1/8
Verifying : glibc-common-2.17-106.166.amzn1.x86_64 2/8
Verifying : glibc-2.17-106.166.amzn1.x86_64 3/8
Verifying : glibc-devel-2.17-106.166.amzn1.x86_64 4/8
Verifying : glibc-headers-2.17-106.163.amzn1.x86_64 5/8
Verifying : glibc-common-2.17-106.163.amzn1.x86_64 6/8
Verifying : glibc-2.17-106.163.amzn1.x86_64 7/8
Verifying : glibc-devel-2.17-106.163.amzn1.x86_64 8/8
Updated:
glibc.x86_64 0:2.17-106.166.amzn1
Dependency Updated:
glibc-common.x86_64 0:2.17-106.166.amzn1 glibc-devel.x86_64 0:2.17-106.166.amzn1 glibc-headers.x86_64 0:2.17-106.166.amzn1
Complete!
[ec2-user@ip-10-0-0-187 ~]$ sudo yum ilist installed | grep glibc
glibc.x86_64 2.17-106.166.amzn1 @amzn-updates
glibc-common.x86_64 2.17-106.166.amzn1 @amzn-updates
glibc-devel.x86_64 2.17-106.166.amzn1 @amzn-updates
glibc-headers.x86_64 2.17-106.166.amzn1 @amzn-updates
修正されたバージョンになっていることを確認できました。
アップデート後は新しいバージョンのglibcを読み込ませるために再起動しましょう。
その他のディストリビューションは以下のサイトを参考にしてみてください。
GNU Cライブラリの脆弱性(CVE-2015-7547)についてまとめてみた
http://d.hatena.ne.jp/Kango/20160217/1455725647
CVE-2015-7547にてglibcの脆弱性が発表されたので、Amazon Linuxのglibcをアップデートしました。