GHOST vulnerability?


#1

Are we patched against this?


#2

I don’t officially know, but since I too was wondering this, and while searching for the answer I came across your unanswered question (unanswered even after a couple of days), it struck me that Dreamhost probably hasn’t said officially anywhere whether their servers are patched.

I thought I would dig deeper to see if I could find the answer myself. What I found looks like they installed the patch, but I couldn’t confirm that they restarted the dependant services. I’ll trust that they did (why would they bother to install the patch without restarting???)

What did I do? I logged in to my dreamhost host console, and ran this:

[myserver]$ dpkg -l | grep libc-bin ii libc-bin 2.15-0ubuntu10.10 Embedded GNU C Library: Binaries

Knowing that 2.15-0ubuntu10.10 is the patched version of libc, it tells me that at least the patch is installed.

As mentioned, I didn’t have so much luck confirming the services have been restarted. We don’t have ability (AFAIK) to find how long Apache has been running as we don’t have root priviledges, but I thought that I could at least check if maybe Dreamhost support had simply rebooted after installing the patch. So I ran

[myserver]$ uptime 14:02:21 up 82 days, 17:17, 1 user, load average: 4.68, 5.18, 5.38

It seems they haven’t rebooted, so I’ll just trust that they restarted apache and any other processes that were using libc (but can’t be certain).

It also is possible that they might have patched MY server, but not others, so take my findings with a grain of salt. You could sign in to your server and run the same commands to confirm your server’s state.