andrewfeeney, to php
@andrewfeeney@phpc.social avatar

and folks, what do you make of this?

https://youtu.be/kQdRT2odUIk

mergy,
@mergy@self.social avatar

@andrewfeeney Workaround possibly for now >> GLIBC Vulnerability on Servers Serving PHP https://mer.gy/iconvglibcvuln (via Rocky Linux)

"First, let us check if the system has the compromised set, running

iconv -l | grep -E 'CN-?EXT'

If there is no output, the system is safe to this vulnerability."

Else -

Browse to /usr/lib64/gconv/gconv-modules.d

Edit gconv-modules-extra.conf

Go to line 1254 and comment out the following..."

mart_w, to php German
@mart_w@chaos.social avatar

As fixes for the current and are not reliably available yet, keep in mind that a workaround exists for those of you who don’t need support for the ISO-2022-CN-EXT character set: https://rockylinux.org/news/glibc-vulnerability-april-2024/

This should be quite straightforward to apply on most machines – except those running . If you do use NixOS, my solution might help you bridge the gap until the proper fix is upstream: https://git.brokentech.cloud/mart-w/nixos-workaround-cve-2024-2961

Thanks @hexa for pointing me in the right direction!

matthew, to sysadmin
@matthew@social.retroedge.tech avatar

Question on the PHP glibc vulnerability:

Does anyone know a blog post or other documentation for how to turn off the character set that allows the vulnerability in Ubuntu and Debian?

Here's a good blog post by Rocky Linux on the subject, but I'm not sure how to translate the instructions to Debian and Ubuntu.

https://rockylinux.org/pt_BR/news/glibc-vulnerability-april-2024/?language=en

ramsey,
@ramsey@phpc.social avatar

@matthew There’s some information on the official @php website that might be helpful: https://www.php.net/archive/2024.php#2024-04-24-1

bugaevc, to random
@bugaevc@floss.social avatar

2.38 is out 🎉

Among other things like strlcpy & strlcat (I know, right?), it includes many fixes and improvements in the port, and a brand new x86_64-gnu (aka 64-bit Hurd) port!

https://sourceware.org/pipermail/libc-alpha/2023-July/150524.html

Yet some of my proposed patch sets didn't make it into 2.38, so expect more in 2.39 😉

rockylinux, to linux
@rockylinux@fosstodon.org avatar

Regarding the recent glibc vulnerability (CVE-2024-2961) on servers serving php content, here's a step-by-step guide to secure your Rocky Linux installation https://rockylinux.org/news/glibc-vulnerability-april-2024/

linuxmagazine, to linux
@linuxmagazine@fosstodon.org avatar

New Linux vulnerability in the GNU C library can lead to privilege escalation https://www.linux-magazine.com/Online/News/New-Linux-Vulnerability-Enables-a-Privilege-Escalation

harrysintonen, to random

CVE-2023-6246 - syslog() heap-based buffer overflow - https://www.openwall.com/lists/oss-security/2024/01/30/6 - Impact: local privilege escalation to root

mergy, to debian
@mergy@self.social avatar

Posted the cobbled-together fix (it seems) for Linux folks here https://mergy.org/glibc-vuln-fix-for-debian-for-now/

At least you can see if your distro is similar or not.

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

linuxmagazine, to ubuntu
@linuxmagazine@fosstodon.org avatar

Microsoft changes its tune: VS code will work with 18.04... for now https://www.linux-magazine.com/Online/News/Microsoft-Says-VS-Code-Will-Work-With-Ubuntu-18.04

fell, to Matrix
@fell@ma.fellr.net avatar

I just learnt about jemalloc in order to fix the memory hunger of Synapse.

So yeah, Python developers will rather hijack the glibc memory allocator than switch to a resource efficient language.

0xor0ne, to Cybersecurity

Excellent overview of glibc heap exploitation techniques by @0xricksanchez

https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/

colin_mcmillen, to random French
@colin_mcmillen@piaille.fr avatar

La 2.39 est officiellement releasée depuis hier (https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00017.html), et dedans, il y a un (tout petit) patch que j'ai fait !

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

frankel, to linux
@frankel@mastodon.top avatar

New Library Grants Root Access to Major Distros

https://www.cyberkendra.com/2024/01/glibc-flaw-allow-root-access-to-major-distros.html

itnewsbot, to jenkins
@itnewsbot@schleuss.online avatar

This Week in Security: Glibc, Ivanti, Jenkins, and Runc - There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. ... - https://hackaday.com/2024/02/02/this-week-in-security-glibc-ivanti-jenkins-and-runc/

gnutools, to random
@gnutools@fosstodon.org avatar

The GNU C Library has been authorized by the Program as a CVE Numbering Authority () https://sourceware.org/pipermail/libc-announce/2024/000039.html

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

j3j5, to php
@j3j5@hachyderm.io avatar

tl;dr: upgrade glibc on your servers!

Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.

https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961

There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.

https://www.offensivecon.org/speakers/2024/charles-fol.html

matthew, to php
@matthew@social.retroedge.tech avatar

This is the fix that I was looking for to mitigate the "PHP" glibc vulnerability in Ubuntu server:

RT: https://shitposter.world/objects/747bb41c-ce2a-4861-aabc-d430ca214ffd

fsf, to emacs
@fsf@hostux.social avatar

Assigning your copyright to the FSF helps defend the GPL and keep software free. Thanks to Gene Goykhman, Sergey Alexandrovich Bugaev, Wang Diancheng, Warren Thomas Everett Wilkinson, and Xinyuan Zhang for assigning their copyright to the FSF! Learn more at https://u.fsf.org/3ht

raptor, to random

For the algorithm lovers: Nontransitive comparison functions lead to
out-of-bounds read & write in 's qsort() by @qualys

  • can’t stop thinking about possible targets for this memory corruption 🤔

https://www.qualys.com/2024/01/30/qsort.txt

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • cisconetworking
  • thenastyranch
  • GTA5RPClips
  • everett
  • Durango
  • rosin
  • InstantRegret
  • DreamBathrooms
  • magazineikmin
  • Youngstown
  • mdbf
  • slotface
  • ethstaker
  • megavids
  • kavyap
  • normalnudes
  • modclub
  • cubers
  • ngwrru68w68
  • khanakhh
  • tacticalgear
  • tester
  • provamag3
  • Leos
  • osvaldo12
  • anitta
  • lostlight
  • All magazines
    •