Forum OpenACS Development: GHOST Vulnerability

Collapse
Posted by Michael Aram on
Collapse
2: Re: GHOST Vulnerability (response to 1)
Posted by Gustaf Neumann on
Thank you michael for the notification.

The attack depends on the use of gethostbyname() and gethostbyname2(), which are deprecated since 15 years and which have been super-seeded by getaddrinfo(). NaviServer and AOLserver use the newer functions when available (i.e. on all recent operating systems), so unless one is using a very old binary or very source version of aolserver, the server is safe.

However, as the report shows, some software packages still use the old functions actively (the exim mail server), so the fix is certainly necessary for ALL machines connected to the Internet (a quick check reveals that also new Linux distros contain binaries calling to the affected functions).

Note that upgrading the binaries is not sufficient, since all server programs have to be restarted. The safest thing is to reboot the server.

Btw, the reboot of openacs.org caused yesterday a service interruption since the new machine refused to reboot. Sorry for any inconvenience that this caused.

-g