Ranjivosti programske biblioteke glibc

Preporuke

by ncert - 4. ožujka 2015.4. ožujka 2015.0

Detalji os-a: FED
Važnost: IMP
Operativni sustavi: L
Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2015-2845
2015-02-28 06:50:52
——————————————————————————–

Name : glibc
Product : Fedora 20
Version : 2.18
Release : 19.fc20
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

——————————————————————————–
Update Information:

– Fix CVE-2014-6040: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)

– Fix CVE-2014-7817: command execution in wordexp() with WRDE_NOCMD specified
——————————————————————————–
ChangeLog:

* Fri Feb 27 2015 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-19
– wordexp fails to honour WRDE_NOCMD (CVE-2014-7817, #1167569).
* Mon Feb 23 2015 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-18
– Crashes on invalid input in IBM gconv modules (CVE-2014-6040, #1135842).
* Wed Oct 1 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-17
– Fix lll_unlock twice in pthread_cond_broadcast (#1104400).
* Fri Sep 26 2014 Carlos O’Donell <carlos@redhat.com> – 2.18-16
– Disable lock elision support for Intel hardware until microcode
updates can be done in early bootup (#1146967).
* Tue Aug 26 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-15
– Fix failing tst-setlocale3 (#rh1118581).
* Tue Aug 26 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-14
– Remove gconv transliteration loadable modules support (CVE-2014-5119,
– _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,
* Thu Feb 6 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-13
– Add pointer mangling support for ARM (#1019452).
* Thu Jan 23 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.18-12
– Use first name entry for address in /etc/hosts as the canonical name
in getaddrinfo (#1047979).
– Fix parsing of 0e+0 as float (#1055613).
——————————————————————————–
References:

[ 1 ] Bug #1157689 – CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
https://bugzilla.redhat.com/show_bug.cgi?id=1157689
[ 2 ] Bug #1135841 – CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
https://bugzilla.redhat.com/show_bug.cgi?id=1135841
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update glibc’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2015-2837
2015-02-28 06:50:35
——————————————————————————–

Name : glibc
Product : Fedora 21
Version : 2.20
Release : 8.fc21
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

——————————————————————————–
Update Information:

– Fix CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
– Fix CVE-2014-9402 glibc: denial of service in getnetbyname function
– CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf
– Fix segfault when LD_LIBRARY_PATH is set to non-existent directory.
——————————————————————————–
ChangeLog:

* Fri Feb 27 2015 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.20-8
– wordexp fails to honour WRDE_NOCMD (CVE-2014-7817, #1167569).
– Avoid infinite loop in nss_dns getnetbyname (CVE-2014-9402, #1175370).
– wscanf allocates too little memory (CVE-2015-1472, #1188237).
– Fix segmentation fault when LD_LIBRARY_PATH contains only non-existing
paths (#1184234).
* Tue Jan 6 2015 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.20-7
– Remove LIB_LANG since we don’t install locales in /usr/lib/locale anymore.
– Don’t own any directories in /usr/share/locale (#1167445).
– Use the %find_lang macro to get the *.mo files (#1167445).
– Add %lang tags to language locale files in /usr/share/i18n/locale (#1169044).
* Wed Oct 1 2014 Siddhesh Poyarekar <siddhesh@redhat.com> – 2.20-6
– Enable lock elision again on s390 and s390x.
——————————————————————————–
References:

[ 1 ] Bug #1188235 – CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf
https://bugzilla.redhat.com/show_bug.cgi?id=1188235
[ 2 ] Bug #1175369 – CVE-2014-9402 glibc: denial of service in getnetbyname function
https://bugzilla.redhat.com/show_bug.cgi?id=1175369
[ 3 ] Bug #1157689 – CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
https://bugzilla.redhat.com/show_bug.cgi?id=1157689
——————————————————————————–

Autor	Tomislav Protega
Cert id	NCERT-REF-2015-03-0017-ADV
Cve	CVE-2014-6040 CVE-2014-7817 CVE-2014-5119 CVE-2014-0475 CVE-2014-9402 CVE-2015-1472
ID izvornika	FEDORA-2015-2845 FEDORA-2015-2837
Proizvod	glibc
Izvor	http://www.redhat.com

Ranjivosti programske biblioteke glibc

Archives

More in Preporuke

Ranjivost programskog paketa bind