Translated 20160218 Linux Systems Patched for Critical glibc Flaw (#4014)

deleted:     sources/tech/20160218 Linux Systems Patched for Critical glibc Flaw.md
new file:    translated/tech/20160218 Linux Systems Patched for Critical glibc Flaw.md

sources/tech/20160218 Linux Systems Patched for Critical glibc Flaw.md

@@ -1,52 +0,0 @@
-robot527 translating
-
-Linux Systems Patched for Critical glibc Flaw
-=================================================
-
-**Google exposed a critical flaw affecting major Linux distributions. The glibc flaw could have potentially led to remote code execution.**
-
-Linux users today are scrambling to patch a critical flaw in the core glibc open-source library that could be exposing systems to a remote code execution risk. The glibc vulnerability is identified as CVE-2015-7547 and is titled, "getaddrinfo stack-based buffer overflow."
-
-The glibc, or GNU C Library, is an open-source implementation of the C and C++ programming language libraries and is part of every major Linux distribution. Google engineers came across the CVE-2015-7547 issue when they were attempting to connect into a certain host system and a segmentation fault (segfault) occurred, causing the connection to crash. Further investigation revealed that glibc was at fault and the crash could potentially achieve an arbitrary remote code execution condition.
-
-"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used," Google wrote in a blog post. "Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS [Domain Name System] servers, or through a man-in-the-middle attack."
-
-Actually exploiting the CVE-2015-7547 issue is not trivial, but it is possible. To prove that the issue can be exploited, Google has published proof-of-concept (PoC) code on GitHub that demonstrates if an end user or system is vulnerable.
-
-"The server code triggers the vulnerability and therefore will crash the client code," the GitHub PoC page states.
-
-Mark Loveless, senior security researcher at Duo Security, explained that the main risk of CVE-2015-7547 is to Linux client-based applications that rely on DNS responses.
-
-"There are some specific conditions, so not every single application will be impacted, but it appears that several command-line utilities, including the popular SSH [Secure Shell] client could trigger the flaw," Loveless told eWEEK. "We deem this serious mainly because of the existing risks to Linux systems, but also because of the potential for other issues."
-
-Other issues could potentially include a risk of an email-based attack that triggers the vulnerable glibc  getaddrinfo() library call. Also of note is the fact that the vulnerability was in the code for years before it was discovered.
-
-Google's engineers were not the first or only group to discover the security risk in glibc. The issue was first reported to a glibc bug [tracker](https://sourceware.org/bugzilla/show_bug.cgi?id=1866) on July 13, 2015. The roots of the flaw go back even further with the actual code commit that introduced the flaw first in glibc 2.9, which was released in May 2008.
-
-Linux vendor Red Hat also independently was looking at the bug in glibc and on Jan. 6, 2016, Google and Red Hat developers confirmed that they had been independently working on the same vulnerability as part of the initial private discussion with upstream glibc maintainers.
-
-"Once it was confirmed that both teams were working on the same vulnerability, we collaborated on potential fixes, mitigations and regression testing," Florian Weimer, principal software engineer for product security at Red Hat, told eWEEK. "We also worked together to make the test coverage as wide as possible to catch any related problems in the code to help prevent future issues."
-
-It took years to discover that there was a security issue with the glibc code because that flaw isn't obvious or immediately apparent.
-
-"To diagnose bugs in a networking component, like a DNS resolver, it is common to look at packet traces which were captured while the issue was encountered," Weimer said. "Such packet captures were not available in this case, so some experimentation was needed to reproduce the exact scenario that triggered the bug."
-
-Weimer added that once the packet captures were available, considerable effort went into validating the fix, leading to a series of refinements culminating in the regression test suite that was contributed upstream to the glibc project.
-
-In many cases in Linux, the Security Enhanced Linux (SELinux) mandatory access security controls can mitigate the risk of potential vulnerabilities, but that's not the case with the new glibc issue.
-
-"The risk is a compromise of important system functionality due to the execution of arbitrary code supplied by an attacker," Weimer said. "A suitable SELinux policy can contain some of the damage an attacker might do and constrain their access to the system, but DNS is used by many applications and system components, so SELinux policies offer only limited containment for this issue."
-
-Alongside the vulnerability disclosure today, there is now a patch available to mitigate the potential risk of CVE-2015-7547.
-
-------------------------------------------------------------------------------
-
-via: http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html
-
-作者：[Michael Kerner][a]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]:https://twitter.com/TechJournalist

translated/tech/20160218 Linux Systems Patched for Critical glibc Flaw.md

@@ -0,0 +1,50 @@
+修补 Linux 系统 glibc 严重漏洞
+=================================================
+
+**谷歌揭露的一个严重漏洞影响主流的 Linux 发行版。glibc 的漏洞可能导致远程代码执行。**
+
+Linux 用户今天都竞相给一个可以使系统暴露在远程代码执行风险中的核心 glibc 开放源码库的严重漏洞打补丁。glibc 的漏洞被确定为 CVE-2015-7547，题为“getaddrinfo 基于堆栈的缓冲区溢出”。
+
+glibc，或 GNU C 库，是一个开放源码的 C 和 C++ 编程语言库的实现，是每一个主流 Linux 发行版的一部分。谷歌工程师们在他们试图连接到某个主机系统时发生了一个段错误导致连接崩溃，偶然发现了 CVE-2015-7547 问题。进一步的研究表明， glibc 有缺陷而且该崩溃可能实现任意远程代码执行的条件。
+
+谷歌在一篇博客文章中写道, “当 getaddrinfo() 库函数被使用时，glibc 的 DNS 客户端解析器易受基于堆栈缓冲区溢出的攻击，使用该功能的软件可能被利用为攻击者控制的域名，攻击者控制的 DNS[域名系统] 服务器，或通过中间人攻击。”
+
+其实利用 CVE-2015-7547 问题并不简单，但它是可能的。为了证明这个问题能被利用，谷歌发布了论证一个终端用户或系统是否易受攻击的概念验证（POC）代码到 GitHub 上。
+
+GitHub 上的 POC 网页声明“服务器代码触发漏洞，因此会使客户端代码崩溃”。
+
+Duo Security 公司的高级安全研究员 Mark Loveless 解释说 CVE-2015-7547 的主要风险在于 Linux 上依赖于 DNS 响应的基于客户端的应用程序。
+
+Loveless 告诉 eWEEK “需要一些特定的条件，所以不是每个应用程序都会受到影响，但似乎一些命令行工具，包括流行的 SSH[安全 Shell] 客户端都可能触发该漏洞，我们认为这是严重的，主要是因为对 Linux 系统存在的风险，但也因为潜在的其他问题。”
+
+其他问题可能包括一种触发调用易受攻击的 glibc 库 getaddrinfo() 的基于电子邮件攻击的风险。另外值得注意的是，该漏洞被发现之前已存在于代码之中多年。
+
+谷歌的工程师不是第一或唯一发现 glibc 中的安全风险的团体。这个问题于 2015 年 7 月 13 日首先被报告给了 glibc 的 bug[跟踪系统](https://sourceware.org/bugzilla/show_bug.cgi?id=1866)。该缺陷的根源可以更进一步追溯到在 2008 五月发布的 glibc 2.9 的代码提交时首次引入缺陷。
+
+Linux 厂商红帽也独立找到了 glibc 中的这个 bug，而且在 2016 年 1 月 6 日，谷歌和红帽开发人员证实，他们作为最初与上游 glibc 的维护者私下讨论的部分人员，已经独立在为同一个漏洞工作。
+
+红帽产品安全首席软件工程师 Florian Weimer 告诉 eWEEK “一旦确认了两个团队都在为同一个漏洞工作，我们合作进行可能的修复，缓解措施和回归测试，我们还共同努力，使测试覆盖尽可能广，捕捉代码中的任何相关问题，以帮助避免今后更多问题。”
+
+由于缺陷不明显或不易立即显现，我们花了几年时间才发现 glibc 代码有一个安全问题。
+
+Weimer 说“要诊断一个网络组件的漏洞，如 DNS 解析器，当遇到问题时通常要看被抓数据包的踪迹，在这种情况下这样的抓包不适用，所以需要一些实验来重现触发这个 bug 的确切场景。”
+
+Weimer 补充说，一旦可以抓取数据包，大量精力投入到验证修复程序中，最终导致回归测试套件一系列的改进，有助于上游 glibc 项目。
+
+在许多情况下，安全增强式 Linux (SELinux) 的强制访问安全控制可以减少潜在漏洞风险，除了这个 glibc 的新问题。
+
+Weimer 说“由于攻击者提供的任意代码的执行，风险是重要系统功能的一个妥协。一个合适的 SELinux 策略可以遏制一些攻击者可能会做的损害，并限制他们访问系统，但是 DNS 被许多应用程序和系统组件使用，所以 SELinux 策略只提供了针对此问题有限的遏制。”
+
+在揭露漏洞的今天，现在有一个可用的补丁来减少 CVE-2015-7547 的潜在风险。
+
+------------------------------------------------------------------------------
+
+via: http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html
+
+作者：[Michael Kerner][a]
+译者：[robot527](https://github.com/robot527)
+校对：[校对者 ID](https://github.com/校对者 ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译，[Linux 中国](https://linux.cn/) 荣誉推出
+
+[a]:https://twitter.com/TechJournalist