ubuntu server fans might want to check this out.

kc1di

Well-Known Member
Joined
May 14, 2021
Messages
2,566
Reaction score
2,507
Credits
18,732


Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by default in Ubuntu Linux since version 21.04, which were introduced over 10 years ago.

The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They were introduced in needrestart version 0.8, released in April 2014, and fixed only yesterday, in version 3.8.

Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries.

More
 
Just my two cents on this, I hope Brian does not mind.

The article from BC (Bleeping Computer) should not strike fear into the hearts of most users.

While the threat is real, it may not affect most, if not all of our Members and Users.

It does not affect Linux Mint users, unless you have actively installed the package needrestart.

For all users of Debian-based distros, you can check with

Code:
apt policy needrestart

You may find in the output a couple of references to needrestart, needrestart.mo, needrestart-session, even a desktop file, but these are provided should you actively have chosen to use needrestart on your computer.

Unless you have the actual binary file, /usr/sbin/needrestart you have no need for concern.

It does not ship installed with Ubuntu Desktop and its community flavours. I cannot speak for Ubuntu Server, by all means check.

If Ubuntu users find

/usr/sbin/needrestart

has been installed on your computer, and you did not do so actively, then it may have been suggested and installed by the package

unattended-upgrades

(which I disable on all my 'buntu-based distros when I first install, if it is present)

needrestart can also be used in Debian, Fedora, and Arch, so it is worth checking in those distros, and keep current with updates.

HTH

Wizard

Avagudweegend
 
That lends a perspective for all members, which I was far from being aware of !

Thanks Chris.
 
Last edited:
Welcome - that's how I read it, I could be wrong.

I was wrong with Pharaoh Khufu 3,000 years ago - I told him his burial tomb would look better block-shaped, he went for pyramid. He was right, it looks better.

Cheers

Wizard
(I also backed the Redcoats in the American War of Independence - the less said about that, the better).
 
How does needrestarting compare to needs-restarting in openSUSE leap 15.5. On all of my Ubuntu machines there is not a install of needrestarting or on my linux mint machines. Just making sure my openSUSE machine is good. Another thought the Ubuntu machines does contain unattended-upgrades and unattended-upgrade. Should I be ready to remove them?
 

Staff online

Members online


Top