Security issue for Concrete5?

Permalink
Does anyone know if this is an issue with Concrete5?

http://www.computerworld.com/article/2877900/ghost-flaw-in-linux-ca...

View Replies: View Best Answer
Mainio replied on at Permalink Best Answer Reply
Mainio
Always when a security vulnerability is disclosed, you should make sure that your system is not vulnerable to it. It has nothing to do with concrete5, the vulnerability is in your system (if the glibc version on your machine matches the vulnerable versions).

Although the article claims that this vulnerability can only be exploited by using the gethostbyname function in PHP, it does not guarantee that it's not exploitable through any other function. Specifically the concrete5 core does not take use of the gethostbyname function, the only reference to that is in the Zend's email validator that I believe is not used in concrete5. However, that function might be quite possibly used in some of your add-ons (or custom code), so you'll need to ask that specifically to each and every add-on or piece of custom code you're using on the site.

It is strongly suggested to check whether your server is running a vulnerable version of the glibc library and if it does, update it immidiately. It's better to be safe than guessing whether the vulnerability can be exploited through an application you're running.

If you're paying someone to host your site and you're not managing the server yourself, it's their job to make sure that the system is not vulnerable. If I were you, I would ask straight from the hosting company.

If you ARE running the server yourself, just follow the instructions provided in the article.
juliankauai replied on at Permalink Reply
Thank you. Excellent answer.