A critical security flaw in the "getaddrinfo()" library function in the ubiquitous "glibc" library was publicly disclosed today. An exploit of this flaw would potentially allow an attacker to run code remotely on a vulnerable system by sending it a carefully tailored response to a DNS query. Because of the nature of this vulnerability, it is critical that you apply the security patches as soon as they become available:
- Patches are now available now for current releases of Ubuntu, Debian and RedHat Enterprise Linux (RHEL) from the standard channels.
- Patches for CentOS, Scientific Linux and Fedora are expected to be available shortly. *UPDATE* : they are now available.
- If you are running an OS that is no longer getting security patches, you should upgrade as soon as possible. Also check the references below for possible short-term mitigations.
It is advisable to reboot each instance after applying the patches. If that is not possible, then you need to restart all system and application services in the manner appropriate to your system. DNS is used by a variety of services, and they all need to be restarted in order to pick up the patched version of the "getaddrinfo()" library function.