GHOST vulnerability status update

Costas-Inter

Hello

 

Is there any progress regarding recent GHOST vulnerability regarding F-Secure products?

Are FSMSG and SRS affected and which versions?

 

And regarding Linux based products, is it safe to patch the Linux systems with glibc 2.18?

 

Any information available for informing our customers much appreciated

 

Thank you

Costas

gancal

Hello Costas,

 

My name is Calvin and I'm the primary contact for security vulnerabilities concerning F-Secure's products and services.

 

With regards to your inquiry, allow me to respond to you.

1. All supported version of F-Secure Messaging Security Gateway products are affected and we are currently working on releasing a patch which should be made available later today.
2. F-Secure Scanning Reputation Server Virtual Appliance (SRS VA) is also affected by this vulnerability and we are currently working on releasing an update.
3. Linux based products (IGK and Linux Security) are not affected, however we strongly advise users to update glibc from the operating system update channel when made available. There are no known compatibility issue with update glibc to the latest version.
4. We are in the midst of planning an advisory release and will keep everyone updated as soon as it is released.

If you have additional questions or concerns, please do not hesitate to reply and I will gladly assist you further.

 

Best Regards,

Calvin Gan

F-Secure Security Vulnerability Expert

Costas-Inter

OK

The security advisory on GHOST is out, but need some clarifications:

 

https://www.f-secure.com/en/web/labs_global/fsc-2015-1

 

It states as affected version:

F-SECURE INTERNET GATEKEEPER VIRTUAL APPLIANCE (IGK VA) 5.20

But then as action:Verify that the latest version of IGK VA is installed.

But the latest version available is 5.20. So is 5.20 vulnerable or not? Do we expect a 5.21 for patch?

 

The same clarification needed for SRS.

 

Someone from F-secure please?

 

 

gancal

Hello Costas,

 

Our apologies for the confusion caused from the security advisory. We will update the advisory with a more conscise information to avoid further confusion. In the meantime, here is the updated instructions for both IGK VA 5.20 and SRS VA 11.00.

 

1. Download and re-install the latest version of the appliance.
2. Verify the latest appliance version by opening the management console and checking the full version shown in the login screen:
   
   • IGK VA: 5.20.646.13
   • SRS ESXi: 11.00.556.166
   • SRS Hyper-V: 11.00.556.24
   • SRS XenServer: 11.00.556.76

Once again our sincerest apologies for the inconveniences caused. Please do inform me if you need further clarification. Have a good day!

 

Regards,

Calvin Gan

F-Secure Security Vulnerability Expert