Red Hat, Google discover ‘critical’ Linux security flaw

Engineers at Red Hat and Google have discovered what is termed a “critical” security flaw in Linux and “remote code execution is possible.”

The companies are recommending that Linux users – including numerous versions of Red Hat Enterprise Linux – fix the bug immediately.

“The bug, which dates back to 2008, affects hundreds of thousands of devices and programs that use software derived from the GNU free-software project,” Fortune notes. “The products, which range from servers to routers to Internet-of-things devices, are vulnerable when they try to use a certain function to translate web addresses into their underlying, numerical IP addresses.”

Red Hat (NYSE: RHT) engineers Florian Weimer and Carlos O’Donell are credited with finding the bug along with an unidentified engineer at Google.

The discovery was “an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users,” Google noted.

For technical details, see Google’s (Nasdaq: GOOG) security blog at:

https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

The list of affected Red Hat products are as follows:

Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Server – Extended Update Support 6.7 x86_64
Red Hat Enterprise Linux Server – Extended Update Support 6.7 i386
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux for IBM z Systems 6 s390x
Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 6.7 s390x
Red Hat Enterprise Linux for Power, big endian – Extended Update Support 6.7 ppc64
Red Hat Enterprise Linux for Scientific Computing 6 x86_64
Red Hat Enterprise Linux EUS Compute Node 6.7 x86_64