need reboot after glibc update for CVE-2015-7547 ?
- Thread starter yena
- Start date
In theory, you only need to restart all services/processes that use the old copy of glibc. In practice, it might be quicker (and safer) to reboot the host as well, especially since you would need to restart all VMs and containers anyway (or migrate them to a different, already updated host).
Ok, i use this script on the Host because i can reboot hosts only in scheduled time:
-------------------------------------------------------------------
#!/bin/bash
# Copyright (c) 2016 by 4PSA
# All rights reserved
#
# This script patches CVE-2015-7547
usefirewalld=0
if [ -x "/usr/sbin/firewalld" ];then
systemctl status firewalld >/dev/null 2>&1
if [ "$?" == "0" ];then
usefirewalld=1
fi
if [ ! -x "/usr/bin/firewall-cmd" ];then
usefirewalld=0
fi
fi
if [ "$usefirewalld" -eq "1" ];then
echo "==> Apply hotfix using firewalld"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP
echo "===> Done"
else
echo "==> Apply hotfix for ipv4"
if [ "`iptables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then
iptables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP
if [ -f /etc/redhat-release ];then
echo "===> Saving Rules"
iptables-save > /etc/sysconfig/iptables
fi
if [ -f /etc/debian_version -a -f /etc/iptables/rules.v4 ];then
echo "===> Saving Rules"
iptables-save > /etc/iptables/rules.v4
fi
echo "===> Done"
else
echo "===> Hotfix already applied for ipv4"
fi
if [ -x "/usr/sbin/ip6tables" ];then
echo "==> Try to apply hotfix for ipv6"
if [ "`/usr/sbin/ip6tables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then
if [ -x "/usr/sbin/ip6tables" ];then
ip6tables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP
ip6tables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP
if [ -f /etc/redhat-release ];then
ip6tables-save > /etc/sysconfig/ip6tables
fi
if [ -f /etc/debian_version -a -f /etc/iptables/rules.v6 ];then
ip6tables-save >/etc/iptables/rules.v6
fi
fi
else
echo "===> Hotfix already applied for ipv6"
fi
fi
fi
-------------------------------------------------------------------
Maybe useful for someone else..
-------------------------------------------------------------------
#!/bin/bash
# Copyright (c) 2016 by 4PSA
# All rights reserved
#
# This script patches CVE-2015-7547
usefirewalld=0
if [ -x "/usr/sbin/firewalld" ];then
systemctl status firewalld >/dev/null 2>&1
if [ "$?" == "0" ];then
usefirewalld=1
fi
if [ ! -x "/usr/bin/firewall-cmd" ];then
usefirewalld=0
fi
fi
if [ "$usefirewalld" -eq "1" ];then
echo "==> Apply hotfix using firewalld"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p udp --sport 53 -m length --length 513: -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --sport 53 -m length --length 1025: -j DROP
echo "===> Done"
else
echo "==> Apply hotfix for ipv4"
if [ "`iptables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then
iptables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP
if [ -f /etc/redhat-release ];then
echo "===> Saving Rules"
iptables-save > /etc/sysconfig/iptables
fi
if [ -f /etc/debian_version -a -f /etc/iptables/rules.v4 ];then
echo "===> Saving Rules"
iptables-save > /etc/iptables/rules.v4
fi
echo "===> Done"
else
echo "===> Hotfix already applied for ipv4"
fi
if [ -x "/usr/sbin/ip6tables" ];then
echo "==> Try to apply hotfix for ipv6"
if [ "`/usr/sbin/ip6tables -L -vn|grep -c 'tcp spt:53 length'`" -eq "0" ];then
if [ -x "/usr/sbin/ip6tables" ];then
ip6tables -I INPUT -p udp --sport 53 -m length --length 513: -j DROP
ip6tables -I INPUT -p tcp --sport 53 -m length --length 1025: -j DROP
if [ -f /etc/redhat-release ];then
ip6tables-save > /etc/sysconfig/ip6tables
fi
if [ -f /etc/debian_version -a -f /etc/iptables/rules.v6 ];then
ip6tables-save >/etc/iptables/rules.v6
fi
fi
else
echo "===> Hotfix already applied for ipv6"
fi
fi
fi
-------------------------------------------------------------------
Maybe useful for someone else..