Executive Summary
Summary | |
---|---|
Title | glibc security and bug fix update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:0769 | First vendor Publication | 2013-04-24 |
Vendor | RedHat | Last vendor Modification | 2013-04-24 |
Severity (Vendor) | Low | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash. (CVE-2013-1914) A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash. (CVE-2013-0242) This update also fixes the following bugs: * The improvements RHSA-2012:1207 made to the accuracy of floating point functions in the math library caused performance regressions for those functions. The performance regressions were analyzed and a fix was applied that retains the current accuracy but reduces the performance penalty to acceptable levels. Refer to Red Hat Knowledge solution 229993, linked to in the References, for further information. (BZ#950535) * It was possible that a memory location freed by the localization code could be accessed immediately after, resulting in a crash. The fix ensures that the application does not crash by avoiding the invalid memory access. (BZ#951493) Users of glibc are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 905874 - CVE-2013-0242 glibc: Buffer overrun (DoS) in regexp matcher by processing multibyte characters 947882 - CVE-2013-1914 glibc: Stack (frame) overflow in getaddrinfo() when processing entry mapping to long list of address structures |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-0769.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:25931 | |||
Oval ID: | oval:org.mitre.oval:def:25931 | ||
Title: | SUSE-SU-2013:0858-1 -- Security update for glibc | ||
Description: | This collective update for the GNU C library (glibc) provides the following fixes: * Fix stack overflow in getaddrinfo with many results (bnc#813121, CVE-2013-1914) * Fix locking in _IO_cleanup (bnc#796982) * Fix buffer overflow in glob (bnc#691365) * Fix memory leak in execve (bnc#805899) Security Issue reference: * CVE-2013-1914 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0858-1 CVE-2013-1914 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 10 | Product(s): | glibc |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27367 | |||
Oval ID: | oval:org.mitre.oval:def:27367 | ||
Title: | DEPRECATED: ELSA-2013-0769 -- glibc security and bug fix update (low) | ||
Description: | [2.5-107.4] - Add missing patch to avoid use after free (#816647). [2.5-107.3] - Fix multibyte character processing crash in regexp (CVE-2013-0242, #951130) - Fix getaddrinfo stack overflow resulting in application crash (CVE-2013-1914, #951130) [2.5-107.2] - Call feraiseexcept only if exceptions are not masked (#861871). | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0769 CVE-2013-0242 CVE-2013-1914 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | glibc |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-09-18 | IAVM : 2014-B-0126 - Multiple Vulnerabilities in VMware ESXi 5.5 Severity : Category I - VMSKEY : V0054325 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-12-30 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0008_remote.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1128-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1122-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1287-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1251-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0858-1.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-165.nasl - Type : ACT_GATHER_INFO |
2015-03-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201503-04.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0024.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0023.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323231_remote.nasl - Type : ACT_GATHER_INFO |
2014-12-12 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0017.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1605.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1527.nasl - Type : ACT_GATHER_INFO |
2014-10-09 | Name : The remote VMware ESXi 5.5 host is affected by multiple vulnerabilities. File : vmware_esxi_5_5_build_2068190_remote.nasl - Type : ACT_GATHER_INFO |
2014-09-11 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0008.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-723.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-270.nasl - Type : ACT_GATHER_INFO |
2013-12-10 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-130917.nasl - Type : ACT_GATHER_INFO |
2013-12-10 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-130913.nasl - Type : ACT_GATHER_INFO |
2013-12-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131121_glibc_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-11-27 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1605.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-283.nasl - Type : ACT_GATHER_INFO |
2013-11-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1605.nasl - Type : ACT_GATHER_INFO |
2013-10-22 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1991-1.nasl - Type : ACT_GATHER_INFO |
2013-08-22 | Name : The remote Fedora host is missing a security update. File : fedora_2013-15053.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0769.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_glibc-8579.nasl - Type : ACT_GATHER_INFO |
2013-06-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-4174.nasl - Type : ACT_GATHER_INFO |
2013-05-08 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-163.nasl - Type : ACT_GATHER_INFO |
2013-04-26 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0769.nasl - Type : ACT_GATHER_INFO |
2013-04-26 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130424_glibc_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-04-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0769.nasl - Type : ACT_GATHER_INFO |
2013-04-01 | Name : The remote Fedora host is missing a security update. File : fedora_2013-4100.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:10 |
|
2013-04-30 13:20:25 |
|
2013-04-24 21:18:28 |
|