Platforms affected:
- OSMC for Raspberry Pi (all models)
- OSMC for Apple TV
- OSMC for Vero (all models)
A number of security vulnerabilities [1] [2] [3] [4] have been discovered in the GNU C Library, glibc. These vulnerabilities are considered critical.
Particularly noteworthy is CVE-2015-7547 [1], which can allow a malicious DNS server to manipulate a response causing a stack-based buffer overflow in glibc, and in turn, the potential for arbitrary code execution. Those using non-standard DNS servers as an attempt to avoid geoblocking are at an increased risk.
These vulnerabilities have been fixed in upstream Debian and OSMC have now included these fixes as an update. We recommend you update your device immediately. This can be done by going to My OSMC -> Updates -> Check for Updates. After updating, your system should report OSMC 2016.01-2 as the version in My OSMC.
Although OSMC has a monthly update cycle, OSMC makes critical bug fixes and fixes for security vulnerabilities immediately available. You can learn more about OSMC’s update cycle and about keeping your system up to date here.
[1] CVE-2015-7547[2] CVE-2015-8776
[3] CVE-2015-8778
[4] CVE-2015-8779