Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2015:168 | First vendor Publication | 2015-03-30 |
Vendor | Mandriva | Last vendor Modification | 2015-03-30 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated glibc packages fix security vulnerabilities: Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with .. components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there (CVE-2014-0475). David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where posix_spawn_file_actions_addopen fails to copy the path argument (glibc bz #17048) which can, in conjunction with many common memory management techniques from an application, lead to a use after free, or other vulnerabilities (CVE-2014-4043). This update also fixes the following issues: x86: Disable x87 inline functions for SSE2 math (glibc bz #16510) malloc: Fix race in free() of fastbin chunk (glibc bz #15073) Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose (CVE-2014-5119). Adhemerval Zanella Netto discovered out-of-bounds reads in additional code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) that can be used to crash the systems, causing a denial of service conditions (CVE-2014-6040). The function wordexp() fails to properly handle the WRDE_NOCMD flag when processing arithmetic inputs in the form of "$((... ))" where "..." can be anything valid. The backticks in the arithmetic epxression are evaluated by in a shell even if WRDE_NOCMD forbade command substitution. This allows an attacker to attempt to pass dangerous commands via constructs of the above form, and bypass the WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817). The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not properly restrict the use of the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers (CVE-2012-3406). The nss_dns implementation of getnetbyname could run into an infinite loop if the DNS response contained a PTR record of an unexpected format (CVE-2014-9402). Also glibc lock elision (new feature in glibc 2.18) has been disabled as it can break glibc at runtime on newer Intel hardware (due to hardware bug) Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer (CVE-2015-1472). The incorrect use of "__libc_use_alloca (newsize)" caused a different (and weaker) policy to be enforced which could allow a denial of service attack (CVE-2015-1473). |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:168 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
11 % | CWE-399 | Resource Management Errors |
11 % | CWE-264 | Permissions, Privileges, and Access Controls |
11 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
11 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
11 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
11 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21252 | |||
Oval ID: | oval:org.mitre.oval:def:21252 | ||
Title: | RHSA-2012:1098: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1098-01 CESA-2012:1098 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 28 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21515 | |||
Oval ID: | oval:org.mitre.oval:def:21515 | ||
Title: | RHSA-2012:1097: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:1097-00 CESA-2012:1097 CVE-2012-3406 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22825 | |||
Oval ID: | oval:org.mitre.oval:def:22825 | ||
Title: | ELSA-2012:1097: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1097-00 CVE-2012-3406 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23014 | |||
Oval ID: | oval:org.mitre.oval:def:23014 | ||
Title: | ELSA-2012:1098: glibc security and bug fix update (Moderate) | ||
Description: | The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:1098-01 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 17 |
Platform(s): | Oracle Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24848 | |||
Oval ID: | oval:org.mitre.oval:def:24848 | ||
Title: | DSA-2976-1 -- eglibc - security update | ||
Description: | Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2976-1 CVE-2014-0475 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25541 | |||
Oval ID: | oval:org.mitre.oval:def:25541 | ||
Title: | SUSE-SU-2014:0920-1 -- Security update for glibc | ||
Description: | glibc has been updated to fix one security issue that could have resulted in free-after-use situations. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0920-1 CVE-2014-4043 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25837 | |||
Oval ID: | oval:org.mitre.oval:def:25837 | ||
Title: | USN-2328-1 -- eglibc vulnerability | ||
Description: | Certain applications could be made to crash or run programs as an administrator. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2328-1 CVE-2014-5119 CVE-2014-0475 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26211 | |||
Oval ID: | oval:org.mitre.oval:def:26211 | ||
Title: | USN-2306-1 -- eglibc vulnerabilities | ||
Description: | Several security issues were fixed in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-1 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26388 | |||
Oval ID: | oval:org.mitre.oval:def:26388 | ||
Title: | RHSA-2014:1110: glibc security update (Important) | ||
Description: | The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1110-00 CESA-2014:1110 CVE-2014-0475 CVE-2014-5119 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 CentOS Linux 5 CentOS Linux 6 CentOS Linux 7 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26402 | |||
Oval ID: | oval:org.mitre.oval:def:26402 | ||
Title: | USN-2306-2 -- eglibc regression | ||
Description: | USN-2306-1 introduced a regression in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-2 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26688 | |||
Oval ID: | oval:org.mitre.oval:def:26688 | ||
Title: | DSA-3012-1 eglibc - security update | ||
Description: | Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3012-1 CVE-2014-5119 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26728 | |||
Oval ID: | oval:org.mitre.oval:def:26728 | ||
Title: | USN-2306-3 -- eglibc regression | ||
Description: | USN-2306-1 introduced a regression in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-3 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26789 | |||
Oval ID: | oval:org.mitre.oval:def:26789 | ||
Title: | SUSE-SU-2014:1125-1 -- Security update for glibc | ||
Description: | This glibc update fixes a critical privilege escalation problem and two non-security issues: * bnc#892073: An off-by-one error leading to a heap-based buffer overflow was found in __gconv_translit_find(). An exploit that targets the problem is publicly available. (CVE-2014-5119) * bnc#892065: setenv-alloca.patch: Avoid unbound alloca in setenv. * bnc#888347: printf-multibyte-format.patch: Don't parse %s format argument as multi-byte string. Security Issues: * CVE-2014-5119 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1125-1 CVE-2014-5119 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26792 | |||
Oval ID: | oval:org.mitre.oval:def:26792 | ||
Title: | SUSE-SU-2014:1027-1 -- Security update for glibc | ||
Description: | This glibc update contains one security and two non security fixes. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1027-1 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26797 | |||
Oval ID: | oval:org.mitre.oval:def:26797 | ||
Title: | SUSE-SU-2014:1213-1 -- Security update for bash | ||
Description: | ash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Security Issues: * CVE-2014-6271 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1213-1 CVE-2014-6271 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 11 | Product(s): | bash |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26821 | |||
Oval ID: | oval:org.mitre.oval:def:26821 | ||
Title: | SUSE-SU-2014:1214-1 -- Security update for bash | ||
Description: | ash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Additionally, the following bugs have been fixed: * Avoid possible buffer overflow when expanding the /dev/fd prefix with e.g. the test built-in. (CVE-2012-3410) * Enable workaround for changed behavior of sshd. (bnc#688469) Security Issues: * CVE-2014-6271 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271> * CVE-2012-3410 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1214-1 CVE-2014-6271 CVE-2012-3410 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | bash |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26978 | |||
Oval ID: | oval:org.mitre.oval:def:26978 | ||
Title: | DEPRECATED: SUSE-SU-2014:1027-1 -- Security update for glibc | ||
Description: | This glibc update contains one security and two non security fixes. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1027-1 CVE-2014-0475 | Version: | 4 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27192 | |||
Oval ID: | oval:org.mitre.oval:def:27192 | ||
Title: | ELSA-2014-1110 -- glibc security update (important) | ||
Description: | An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-5119) A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application. (CVE-2014-0475) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1110 CVE-2014-0475 CVE-2014-5119 | Version: | 3 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27827 | |||
Oval ID: | oval:org.mitre.oval:def:27827 | ||
Title: | DEPRECATED: ELSA-2012-1098 -- glibc security and bug fix update (moderate) | ||
Description: | [2.12-1.80.el6_3.3] - Fix incorrect/corrupt patchfile for 833716. Did not affect generated code, but tests were missing (#833716). [2.12-1.80.el6_3.2] - Fix regression after patch for BZ804630 (#837026). [2.12-1.80.el6_3.1] - Fixes an unbound alloca and related problems. (#833716) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1098 CVE-2012-3404 CVE-2012-3405 CVE-2012-3406 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27845 | |||
Oval ID: | oval:org.mitre.oval:def:27845 | ||
Title: | DEPRECATED: ELSA-2012-1097 -- glibc security and bug fix update (moderate) | ||
Description: | [2.5-81.el5_8.4] - Fix iconv() segfault if the invalid multibyte character 0xffff is input when converting from IBM930 (#837896) [2.5-81.el5_8.3] - Fix unbound alloca in vfprintf (#833720) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-1097 CVE-2012-3406 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28047 | |||
Oval ID: | oval:org.mitre.oval:def:28047 | ||
Title: | USN-2432-1 -- GNU C Library vulnerabilities | ||
Description: | Siddhesh Poyarekar discovered that the GNU C Library incorrectly handled certain multibyte characters when using the iconv function. An attacker could possibly use this issue to cause applications to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-6656">CVE-2012-6656</a>) Adhemerval Zanella Netto discovered that the GNU C Library incorrectly handled certain multibyte characters when using the iconv function. An attacker could possibly use this issue to cause applications to crash, resulting in a denial of service. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-6040">CVE-2014-6040</a>) Tim Waugh discovered that the GNU C Library incorrectly enforced the WRDE_NOCMD flag when handling the wordexp function. An attacker could possibly use this issue to execute arbitrary commands. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-7817">CVE-2014-7817</a>) | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2432-1 CVE-2012-6656 CVE-2014-6040 CVE-2014-7817 | Version: | 5 |
Platform(s): | Ubuntu 14.10 Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | eglibc glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28088 | |||
Oval ID: | oval:org.mitre.oval:def:28088 | ||
Title: | ELSA-2014-2023 -- glibc security and bug fix update (moderate) | ||
Description: | [2.17-55.0.4.el7_0.3] - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. (Jose E. Marchesi) [2.17-55.3] - Fix wordexp() to honour WRDE_NOCMD (CVE-2014-7817, #1170118) [2.17-55.2] - ftell: seek to end only when there are unflushed bytes (#1170187). [2.17-55.1] - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-2023 CVE-2014-7817 | Version: | 3 |
Platform(s): | Oracle Linux 7 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28439 | |||
Oval ID: | oval:org.mitre.oval:def:28439 | ||
Title: | RHSA-2014:2023 -- glibc security and bug fix update (Moderate) | ||
Description: | The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was found that the wordexp() function would perform command substitution even when the WRDE_NOCMD flag was specified. An attacker able to provide specially crafted input to an application using the wordexp() function, and not sanitizing the input correctly, could potentially use this flaw to execute arbitrary commands with the credentials of the user running that application. (CVE-2014-7817) This issue was discovered by Tim Waugh of the Red Hat Developer Experience Team. This update also fixes the following bug: * Prior to this update, if a file stream that was opened in append mode and its underlying file descriptor were used at the same time and the file was truncated using the ftruncate() function on the file descriptor, a subsequent ftell() call on the stream incorrectly modified the file offset by seeking to the new end of the file. This update ensures that ftell() modifies the state of the file stream only when it is in append mode and its buffer is not empty. As a result, the described incorrect changes to the file offset no longer occur. (BZ#1170187) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:2023 CESA-2014:2023 CVE-2014-7817 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 7 CentOS Linux 7 | Product(s): | glibc |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2014-08-27 | glibc Off-by-One NUL Byte gconv_translit_find Exploit |
OpenVAS Exploits
Date | Description |
---|---|
2012-12-27 | Name : VMSA-2012-0018: VMware security updates for vCSA and ESXi File : nvt/gb_VMSA-2012-0018.nasl |
2012-12-18 | Name : Ubuntu Update for glibc USN-1589-2 File : nvt/gb_ubuntu_USN_1589_2.nasl |
2012-10-03 | Name : Ubuntu Update for eglibc USN-1589-1 File : nvt/gb_ubuntu_USN_1589_1.nasl |
2012-08-30 | Name : Fedora Update for glibc FEDORA-2012-11508 File : nvt/gb_fedora_2012_11508_glibc_fc17.nasl |
2012-07-30 | Name : CentOS Update for glibc CESA-2012:1097 centos5 File : nvt/gb_CESA-2012_1097_glibc_centos5.nasl |
2012-07-30 | Name : CentOS Update for glibc CESA-2012:1098 centos6 File : nvt/gb_CESA-2012_1098_glibc_centos6.nasl |
2012-07-19 | Name : RedHat Update for glibc RHSA-2012:1097-01 File : nvt/gb_RHSA-2012_1097-01_glibc.nasl |
2012-07-19 | Name : RedHat Update for glibc RHSA-2012:1098-01 File : nvt/gb_RHSA-2012_1098-01_glibc.nasl |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-02-12 | IAVM : 2015-A-0038 - Multiple Vulnerabilities in GNU C Library (glibc) Severity : Category I - VMSKEY : V0058753 |
2015-01-22 | IAVM : 2015-B-0007 - Multiple Vulnerabilities in Juniper Secure Analytics (JSA) and Security Threa... Severity : Category I - VMSKEY : V0058213 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2018-12-18 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16365.nasl - Type : ACT_GATHER_INFO |
2018-10-26 | Name : The remote EulerOS Virtualization host is missing multiple security updates. File : EulerOS_SA-2018-1344.nasl - Type : ACT_GATHER_INFO |
2018-09-18 | Name : The remote EulerOS Virtualization host is missing a security update. File : EulerOS_SA-2018-1272.nasl - Type : ACT_GATHER_INFO |
2018-05-11 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2018-1017.nasl - Type : ACT_GATHER_INFO |
2018-04-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2018-0805.nasl - Type : ACT_GATHER_INFO |
2017-08-08 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2017-1146.nasl - Type : ACT_GATHER_INFO |
2017-08-08 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2017-1147.nasl - Type : ACT_GATHER_INFO |
2016-02-19 | Name : The remote Red Hat host is potentially affected by a denial of service vulner... File : redhat-CVE-2014-9402.nasl - Type : ACT_GATHER_INFO |
2016-02-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201602-02.nasl - Type : ACT_GATHER_INFO |
2016-02-17 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2016-0013.nasl - Type : ACT_GATHER_INFO |
2016-02-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2589.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151119_glibc_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-12-15 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-617.nasl - Type : ACT_GATHER_INFO |
2015-12-02 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2199.nasl - Type : ACT_GATHER_INFO |
2015-11-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2199.nasl - Type : ACT_GATHER_INFO |
2015-11-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2199.nasl - Type : ACT_GATHER_INFO |
2015-09-18 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16010.nasl - Type : ACT_GATHER_INFO |
2015-09-17 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16435.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-544.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2012-1488-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1251-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1119-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1122-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1128-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1129-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0164-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0167-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0170-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0526-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0550-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0551-1.nasl - Type : ACT_GATHER_INFO |
2015-04-06 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16364.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-168.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-122.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-165.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-43.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-97.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150305_glibc_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-03-25 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-495.nasl - Type : ACT_GATHER_INFO |
2015-03-18 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0327.nasl - Type : ACT_GATHER_INFO |
2015-03-10 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0327.nasl - Type : ACT_GATHER_INFO |
2015-03-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201503-04.nasl - Type : ACT_GATHER_INFO |
2015-03-06 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-150226.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Fedora host is missing a security update. File : fedora_2015-2837.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Fedora host is missing a security update. File : fedora_2015-2845.nasl - Type : ACT_GATHER_INFO |
2015-03-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0327.nasl - Type : ACT_GATHER_INFO |
2015-02-27 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-173.nasl - Type : ACT_GATHER_INFO |
2015-02-27 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2519-1.nasl - Type : ACT_GATHER_INFO |
2015-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3169.nasl - Type : ACT_GATHER_INFO |
2015-02-11 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-150129.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0023.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0024.nasl - Type : ACT_GATHER_INFO |
2015-01-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3142.nasl - Type : ACT_GATHER_INFO |
2015-01-09 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-468.nasl - Type : ACT_GATHER_INFO |
2015-01-09 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0003.nasl - Type : ACT_GATHER_INFO |
2015-01-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0016.nasl - Type : ACT_GATHER_INFO |
2015-01-08 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0016.nasl - Type : ACT_GATHER_INFO |
2015-01-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0016.nasl - Type : ACT_GATHER_INFO |
2015-01-08 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150107_glibc_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-12-22 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-2023.nasl - Type : ACT_GATHER_INFO |
2014-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141218_glibc_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2014-12-19 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-2023.nasl - Type : ACT_GATHER_INFO |
2014-12-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-2023.nasl - Type : ACT_GATHER_INFO |
2014-12-04 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2432-1.nasl - Type : ACT_GATHER_INFO |
2014-11-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-232.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0017.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0033.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1185.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2012-1200.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1118.nasl - Type : ACT_GATHER_INFO |
2014-10-24 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-296-01.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9830.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-399.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-400.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-175.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-536.nasl - Type : ACT_GATHER_INFO |
2014-09-09 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-3.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-29 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9824.nasl - Type : ACT_GATHER_INFO |
2014-08-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2328-1.nasl - Type : ACT_GATHER_INFO |
2014-08-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3012.nasl - Type : ACT_GATHER_INFO |
2014-08-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-152.nasl - Type : ACT_GATHER_INFO |
2014-08-06 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-2.nasl - Type : ACT_GATHER_INFO |
2014-08-05 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-1.nasl - Type : ACT_GATHER_INFO |
2014-07-20 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-140701.nasl - Type : ACT_GATHER_INFO |
2014-07-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2976.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities. File : vmware_esxi_5_0_build_912577_remote.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.1 host is affected by multiple security vulnerabilit... File : vmware_esxi_5_1_build_1063671_remote.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-109.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-121129.nasl - Type : ACT_GATHER_INFO |
2012-12-24 | Name : The remote VMware ESXi host is missing one or more security-related patches. File : vmware_VMSA-2012-0018.nasl - Type : ACT_GATHER_INFO |
2012-12-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1589-2.nasl - Type : ACT_GATHER_INFO |
2012-11-19 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_glibc-8351.nasl - Type : ACT_GATHER_INFO |
2012-10-02 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1589-1.nasl - Type : ACT_GATHER_INFO |
2012-08-16 | Name : The remote Fedora host is missing a security update. File : fedora_2012-11508.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120718_glibc_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120718_glibc_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-07-20 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1097.nasl - Type : ACT_GATHER_INFO |
2012-07-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1098.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-04-08 17:29:17 |
|
2015-03-31 13:29:48 |
|
2015-03-30 13:30:08 |
|