9

I am trying to update glibc 2.31-0ubuntu9.2. As an internal scan has picked this up as vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2021-33574#range-6777140

When I use sudo apt-get update then sudo apt install glibc I am getting nowhere with it.

Any ideas?

Thanks in advance.

N0rbert
  • 97,162
  • 34
  • 239
  • 423
lcfc
  • 91
  • 3
  • Generally it is "a fairly bad idea" to try to update community built distributions (or part of them) on your own. You have to know quite a bit of the internal choices in the actual distribution, and I believe: match the compile-time options to those. Attempting to replace a package by compiling random source, albeit "the latest" and "older version already included" requires a good amount of knowledge. – Hannu Dec 20 '21 at 20:18
  • The issue we have is we are PCI compliant and one of the requirements is the carry out internal scans. These internal scans are picking up these sorts of vulnerabilities so we need to update them. Or we remove them but I worry about removing too much as you don't know what else needs this to run. – lcfc Dec 20 '21 at 20:22
  • Well, then I see why you need to try; you probably have some kind of certification to keep up with. – Hannu Dec 20 '21 at 20:26
  • 1
    See the explanation of the vulnerability at https://ubuntu.com/security/CVE-2021-33574. It's low priority (so the patch may-or-may-not be backported). The worst case scenario seems to be that an attacker can cause a crash (not information release, not privilege escalation, not arbitrary code execution). It's unlikely to be used, since it's complex -- it requires other attacks to have already succeeded. – user535733 Dec 20 '21 at 20:47
  • 1
    Since it pops up on your PCI scan, I would be surprised if the CVE is ignored; it's possible that the same CVE will pop up on an Ubuntu Advantage customer's scan. If so, a Canonical engineer will eventually apply the patch. After suitable testing, the updated package will be pushed by the Ubuntu Security Team. However, if you want to wait for somebody else to do that backporting work for you (or to pay for the work), be prepared to be patient. – user535733 Dec 20 '21 at 20:52
  • It is Wazuh that is picking it up. I think how their system works is it uses the CVE database and this is why it is picking these sorts of vulnerabilities up. – lcfc Dec 20 '21 at 21:50

1 Answers1

13

According to https://ubuntu.com/security/CVE-2021-33574 , https://launchpad.net/bugs/cve/CVE-2021-33574 and https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1927192 you have to wait when "Fix Committed" will become "Fix Released" for Ubuntu 20.04 LTS (Focal Fossa).

N0rbert
  • 97,162
  • 34
  • 239
  • 423
  • 3
    Thanks for that. Very helpful. How did you find what exact bit within https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1927192. Reason I ask is I would like to compare this with other vulnerabilities I find and see if they are working on patching this up etc. – lcfc Dec 20 '21 at 20:16
  • 2
    @lcfc If one of the answers here solved your issue, please take a moment and [accept it](//askubuntu.com/help/someone-answers) by clicking on the checkmark on the left. That is the best way to express your thanks on the Stack Exchange sites. – terdon Dec 21 '21 at 15:59