Cloud security company Qualys announced Tuesday the issues prevalent in glibc since version 2.2 introduced in 2000-11-10 (the complete Qualys announcement may be viewed here). The vulnerability, CVE-2015-0235, has been dubbed “GHOST.”
As the announcement from Qualys indicates, it is believed that MySQL and by extension Percona Server are not affected by this issue.
Percona is in the process of conducting our own review into the issue related to the Percona Server source code – more information will be released as soon as it is available.
In the interim the current advisory is to update your glibc packages for your distributions if they are in fact vulnerable. The C code from the Qualys announcement may aid in your diagnostics, section 4 of this document or via this gist. I also wrote a very quick python script to help identify processes which may be running libc that you can access here.
Compiling the above and executing it will yield an output indicating if your glibc version is believed to be vulnerable or not vulnerable.
Distribution Resource Resource Links
- RedHat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
- RedHat EL5 Errata: https://rhn.redhat.com/errata/RHSA-2015-0090.html
- RedHat EL6 / 7 Errata: https://rhn.redhat.com/errata/RHSA-2015-0092.html
- Ubuntu USN: http://www.ubuntu.com/usn/usn-2485-1/ (affects 10.04 12.04)
- Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2015-0235
Distributions which use musl-libc (http://www.musl-libc.org/) are not affected by this issue.
Robert Barabas – Percona
Raghavendra Prabhu – Percona
Laurynas Biveinis – Percona