A very serious glibc vulnerability has been announced on 27th of January by Qualys researchers and CVE-2015-0235 has been assigned to this issue. The vulnerability is based on a buffer overflow in the library’s internal function __nss_hostname_digits_dots()
which is used by the gethostbyname()
and gethostbyname2()
glibc functions.
Is WordPress affected ?
WordPress core PHP code could be affected by this vulnerability through the gethostbyname wrapper function which is used in ftp_base
class and wp_http_validate_url
function which in turn is used to validate every pingback’s post URL.
Check the following code fragment taken from WordPress wp-includes/http.php
file :
if ( ! $same_host ) {
$host = trim( $parsed_url['host'], '.' );
if ( preg_match( '#^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$#', $host ) ) {
$ip = $host;
} else {
$ip = gethostbyname( $host );
if ( $ip === $host ) // Error condition for gethostbyname()
$ip = false;
}
Are Pressidium customers affected ?
Short answer: NO 🙂
At Pressidium, we take security very seriously, and as such, after the vulnerability was publicly announced we immediately carried out an internal check on our infrastructure to make sure that the glibc
library version being used on our servers is not affected by this security vulnerability.
Our checks concluded that all of our systems are using a glibc
version which is already patched and secured against this buffer overflow. The Pressidium® Pinnacle Platform and all of our customer’s WordPress websites are not affected by this serious vulnerability.
Job done.
Host your WordPress Website with Pressidium!
View our price plans