[tlug] Chasing the GHOST in my machine

[CL <az.4tlug@example.com>]

By now everyone has probably seen the GHOST security hole report? Well, 
here, or some other place on The Web?

http://www.zdnet.com/article/critical-linux-security-hole-found/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f

According to the article, my Debian Wheezy (v.7.8) is vulnerable, but it 
provided a link to the bug report

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391

in which the author is told the issue is fixed.  However, the "fix" 
seems to depend on a version number and I can't tell whether my version, 
which has now appeared on the "marked fixed" list is _really_ repaired, 
or not.  I changed my preferences for all from "stable" to "wheezy 
backports" as I thought I'd read that the latter were applied sooner.  A 
new version of libc6 _did_ appear to be downloaded and installed, but I 
want to be sure this isn't wishful thinking.

In Debian, can patched and unpatched versions appear under the same 
version number?  Is there a simple way to tell whether I have the 
patched version or still need to do something more (like download and 
run 2.19 from a Sid repository)?

Output:

# dpkg -l libc6

Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                        Version Architecture       Description
+++-===========================-==================-==================-============================================================
ii  libc6:amd64                 2.13-38+deb7u7 amd64              
Embedded GNU C Library: Shared libraries
ii  libc6:i386                      2.13-38+deb7u7     i386          
Embedded GNU C Library: Shared libraries

... and 2.13-38+deb7u7 is now reported to be "patched"

It's a bitch when you know just enough to break everything and fix nothing.

--
CL