zdnet[.]com/article/patch-now-this-serious-linux-vulnerability-affects-nearly-all-distributions/
bleepingcomputer[.]com/news/security/exploits-released-for-linux-flaw-giving-root-on-major-distros/
bleepingcomputer[.]com/news/security/new-looney-tunables-linux-bug-gives-root-on-major-distros/
So, how bad is this really? To quote Saeed Abbasi, Qualys Threat Research Unit Product Manager, "This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security. … The ease with which the buffer overflow can be transformed into a data-only attack … could put countless systems at risk, especially given the extensive use of glibc across Linux distributions."
The good news is that Red Hat, Ubuntu, Debian, and Gentoo have all released their own updates. In addition, the upstream glibc code has been patched with the fix.If you can't patch it, Red Hat has a script that should work on most Linux systems to mitigate the problem by setting your system to terminate any setuid program invoked with GLIBC_TUNABLES in the environment.