Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2014:152 | First vendor Publication | 2014-08-06 |
Vendor | Mandriva | Last vendor Modification | 2014-08-06 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated glibc packages fix security issues: Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with .. components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there (CVE-2014-0475). David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where posix_spawn_file_actions_addopen fails to copy the path argument (glibc bz #17048) which can, in conjunction with many common memory management techniques from an application, lead to a use after free, or other vulnerabilities (CVE-2014-4043). |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:152 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
50 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24848 | |||
Oval ID: | oval:org.mitre.oval:def:24848 | ||
Title: | DSA-2976-1 -- eglibc - security update | ||
Description: | Stephane Chazelas discovered that the GNU C library, glibc, processed ".." path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2976-1 CVE-2014-0475 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25541 | |||
Oval ID: | oval:org.mitre.oval:def:25541 | ||
Title: | SUSE-SU-2014:0920-1 -- Security update for glibc | ||
Description: | glibc has been updated to fix one security issue that could have resulted in free-after-use situations. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0920-1 CVE-2014-4043 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25837 | |||
Oval ID: | oval:org.mitre.oval:def:25837 | ||
Title: | USN-2328-1 -- eglibc vulnerability | ||
Description: | Certain applications could be made to crash or run programs as an administrator. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2328-1 CVE-2014-5119 CVE-2014-0475 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26211 | |||
Oval ID: | oval:org.mitre.oval:def:26211 | ||
Title: | USN-2306-1 -- eglibc vulnerabilities | ||
Description: | Several security issues were fixed in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-1 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26402 | |||
Oval ID: | oval:org.mitre.oval:def:26402 | ||
Title: | USN-2306-2 -- eglibc regression | ||
Description: | USN-2306-1 introduced a regression in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-2 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26728 | |||
Oval ID: | oval:org.mitre.oval:def:26728 | ||
Title: | USN-2306-3 -- eglibc regression | ||
Description: | USN-2306-1 introduced a regression in the GNU C Library. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2306-3 CVE-2013-4357 CVE-2013-4458 CVE-2014-0475 CVE-2014-4043 | Version: | 3 |
Platform(s): | Ubuntu 10.04 | Product(s): | eglibc |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26792 | |||
Oval ID: | oval:org.mitre.oval:def:26792 | ||
Title: | SUSE-SU-2014:1027-1 -- Security update for glibc | ||
Description: | This glibc update contains one security and two non security fixes. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1027-1 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26797 | |||
Oval ID: | oval:org.mitre.oval:def:26797 | ||
Title: | SUSE-SU-2014:1213-1 -- Security update for bash | ||
Description: | ash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Security Issues: * CVE-2014-6271 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1213-1 CVE-2014-6271 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 11 | Product(s): | bash |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26821 | |||
Oval ID: | oval:org.mitre.oval:def:26821 | ||
Title: | SUSE-SU-2014:1214-1 -- Security update for bash | ||
Description: | ash has been updated to fix a critical security issue. In some circumstances, the shell would evaluate shellcode in environment variables passed at startup time. This allowed code execution by local or remote attackers who could pass environment variables to bash scripts. (CVE-2014-6271) Additionally, the following bugs have been fixed: * Avoid possible buffer overflow when expanding the /dev/fd prefix with e.g. the test built-in. (CVE-2012-3410) * Enable workaround for changed behavior of sshd. (bnc#688469) Security Issues: * CVE-2014-6271 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271> * CVE-2012-3410 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1214-1 CVE-2014-6271 CVE-2012-3410 CVE-2014-0475 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | bash |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26978 | |||
Oval ID: | oval:org.mitre.oval:def:26978 | ||
Title: | DEPRECATED: SUSE-SU-2014:1027-1 -- Security update for glibc | ||
Description: | This glibc update contains one security and two non security fixes. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1027-1 CVE-2014-0475 | Version: | 4 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | glibc |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201602-02.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-544.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0551-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0550-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0170-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0167-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1128-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1122-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-168.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-43.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-165.nasl - Type : ACT_GATHER_INFO |
2015-03-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201503-04.nasl - Type : ACT_GATHER_INFO |
2015-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3169.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0024.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0023.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0033.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0017.nasl - Type : ACT_GATHER_INFO |
2014-10-24 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-296-01.nasl - Type : ACT_GATHER_INFO |
2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9830.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-400.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-536.nasl - Type : ACT_GATHER_INFO |
2014-09-09 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-3.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1110.nasl - Type : ACT_GATHER_INFO |
2014-08-29 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2328-1.nasl - Type : ACT_GATHER_INFO |
2014-08-29 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9824.nasl - Type : ACT_GATHER_INFO |
2014-08-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-152.nasl - Type : ACT_GATHER_INFO |
2014-08-06 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-2.nasl - Type : ACT_GATHER_INFO |
2014-08-05 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2306-1.nasl - Type : ACT_GATHER_INFO |
2014-07-20 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-140701.nasl - Type : ACT_GATHER_INFO |
2014-07-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2976.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-10-08 09:28:05 |
|
2014-10-07 21:33:14 |
|
2014-08-08 13:24:51 |
|
2014-08-06 21:22:38 |
|