Updating Systems for glibc DNS Vulnerability and Workaround

By now all good sysadmins should know that a new DNS vulnerability has been found and if you didn't then just read this blog post by Google's researchers.

I did update the Debian/Ubuntu servers with the tipical commands:

$ sudo apt-get update
$ sudo apt-get upgrade

and the CentOS/RedHat ones with:

$ sudo yum clean all
$ sudo yum update
$ sudo systemctl daemon-reexe

last command is to avoid to reboot your system.

Currently, I don't work with any Suse servers but in case you need to, this is the command:

# zypper up

Of course I also wanted to patch my Fedora but after running the usual command:

$ sudo yum update

I notice that glibc wasn't updated yet, ... uhmm I suppose I have to wait a little bit for the patch meanwhile I'd like to be protected, and this is the workaround to get you covered by using iptables.

$ sudo iptables -I INPUT -p udp --sport 53 -m length --length 511:65535 -j DROP
$ sudo iptables -I INPUT -p udp --dport 53 -m length --length 511:65535 -j DROP

to check that rules are inserted correctly you can use:

$ sudo iptables -L -nv|grep 53

Danilo