You are here
Home > Preporuke > Sigurnosni nedostatak programske biblioteke glibc

Sigurnosni nedostatak programske biblioteke glibc

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2018-060302dc83
2018-12-04 02:22:12.111599
——————————————————————————–

Name : glibc
Product : Fedora 28
Version : 2.27
Release : 35.fc28
URL : http://www.gnu.org/software/glibc/
Summary : The GNU libc libraries
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.

——————————————————————————–
Update Information:

This update for the `glibc` package addresses one moderate security
vulnerability and several defects. * CVE-2018-19591: A file descriptor leak in
`if_nametoindex` can lead to a denial of service due to resource exhaustion when
processing `getaddrinfo` calls with crafted host names. Reported by Guido
Vranken. (RHBZ#1654000) * Failure to create the helper thread for
`getaddrinfo_a`/`libanl` could result in a crash. (RHBZ#1646381) * On certain
Haswell-class Intel CPUs, string function feature flags could be set
incorrectly, leading to a suboptimal choice of string functions. (RHBZ#1641980)
* Parallel building of locales led to nondeterminism in the RPM build process.
(RHBZ#1652228) * Various minor bug fixes from the upstream 2.27 release branch
were imported as part of this update
([swbz#17630](https://sourceware.org/bugzilla/show_bug.cgi?id=17630),
[swbz#22753](https://sourceware.org/bugzilla/show_bug.cgi?id=22753),
[swbz#23275](https://sourceware.org/bugzilla/show_bug.cgi?id=23275),
[swbz#23562](https://sourceware.org/bugzilla/show_bug.cgi?id=23562),
[swbz#23579](https://sourceware.org/bugzilla/show_bug.cgi?id=23579),
[swbz#23822](https://sourceware.org/bugzilla/show_bug.cgi?id=23822)).
——————————————————————————–
ChangeLog:

* Wed Nov 28 2018 Florian Weimer <fweimer@redhat.com> – 2.27-35
– Auto-sync with upstream branch release/2.27/master,
commit 9f433fc791ca4f9d678903ff45b504b524c886fb:
– CVE-2018-19591: if_nametoindex: Fix descriptor leak (#1654000)
– libanl: proper cleanup if first helper thread creation failed (#1646381)
– x86: Fix Haswell CPU string flags (#1641980)
– resolv/tst-resolv-network.c: Additional test case (swbz#17630)
– ia64: fix missing exp2f, log2f and powf symbols in libm.a (swbz#23822)
– conform: XFAIL siginfo_t si_band test on sparc64
– signal: Use correct type for si_band in siginfo_t (swbz#23562)
– pthread_mutex_lock: Fix race while promoting to PTHREAD_MUTEX_ELISION_NP
(swbz#23275)
– preadv2/pwritev2: Fix misreported errno (swbz#23579)
– preadv2/pwritev2: Handle offset == -1 (swbz#22753)
– posix_spawn: Fix potential segmentation fault
* Mon Nov 26 2018 Florian Weimer <fweimer@redhat.com> – 2.27-34
– Do not use parallel make for building locales (#1652228)
* Thu Aug 30 2018 Florian Weimer <fweimer@redhat.com> – 2.27-33
– Revert glibc_make_flags setting which is not needed in Fedora 28 (#1600034)
* Wed Aug 29 2018 Florian Weimer <fweimer@redhat.com> – 2.27-32
– Auto-sync with upstream branch release/2.27/master,
commit 2b47bb9cba048e778a7d832f284feccb14a40483:
– nptl: Fix waiters-after-spinning case in pthread_cond_broadcast (#1622669)
– x86: Correct index_cpu_LZCNT (swbz#23456)
– x86: Populate COMMON_CPUID_INDEX_80000001 for Intel CPUs (swbz#23459)
* Mon Aug 13 2018 Carlos O’Donell <carlos@redhat.com> – 2.27-31
– Remove abort() warning in manual (#1615608)
* Wed Jul 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-30
– Auto-sync with upstream branch release/2.27/master,
commit 68c1bf80978594388157c62fd2edd467d4e8dfb2:
– regexec: Fix off-by-one bug in weight comparison (#1582229)
– es_BO locale: Change LC_PAPER to en_US (swbz#22996)
– conform/conformtest.pl: Escape literal braces in regular expressions
* Wed Jul 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-29
– Add POWER9 multilib (downstream only)
* Wed Jul 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-28
– Work around valgrind issue on i686 (#1600034)
* Fri Jul 6 2018 Florian Weimer <fweimer@redhat.com> – 2.27-27
– Build additional files with stack protector
* Fri Jul 6 2018 Florian Weimer <fweimer@redhat.com> – 2.27-26
– Enable build flags inheritance for nonshared flags
* Fri Jul 6 2018 Florian Weimer <fweimer@redhat.com> – 2.27-25
– Inherit further build flags (downstream only)
* Wed Jul 4 2018 Florian Weimer <fweimer@redhat.com> – 2.27-24
– Add annobin annotations to assembler code (downstream only) (#1548438)
* Wed Jul 4 2018 Florian Weimer <fweimer@redhat.com> – 2.27-23
– Enable -D_FORTIFY_SOURCE=2 for nonshared code
* Wed Jul 4 2018 Florian Weimer <fweimer@redhat.com> – 2.27-22
– Auto-sync with upstream branch release/2.27/master,
commit 5fab7fe1dc9cab9a46cf5c8840aa9b7ea3a26296:
– math: Set 387 and SSE2 rounding mode for tgamma on i386 (swbz#23253)
* Wed Jul 4 2018 Florian Weimer <fweimer@redhat.com> – 2.27-21
– Switch to upstream implementation of –disable-crypt (#1566464)
* Tue Jul 3 2018 Florian Weimer <fweimer@redhat.com> – 2.27-20
– Auto-sync with upstream branch release/2.27/master,
commit 7602b9e48c30c146d52df91dd83e518b8d0d343b:
– math: Fix parameter type in C++ version of iseqsig (swbz#23171)
– Use _STRUCT_TIMESPEC as guard in <bits/types/struct_timespec.h> (swbz#23349)
– getifaddrs: Don’t return ifa entries with NULL names (swbz#21812)
– libio: Disable vtable validation in case of interposition (swbz#23313)
– stdio-common/tst-printf.c: Remove part under a non-free license (swbz#23363)
* Wed Jun 20 2018 Florian Weimer <fweimer@redhat.com> – 2.27-19
– Modernise nsswitch.conf defaults (#1581809)
* Mon Jun 18 2018 Florian Weimer <fweimer@redhat.com> – 2.27-18
– iconv: Make IBM273 equivalent to ISO-8859-1 (#1592270)
* Mon Jun 18 2018 Florian Weimer <fweimer@redhat.com> – 2.27-17
– Align build flags inheritance with master (downstream only)
* Mon Jun 18 2018 Florian Weimer <fweimer@redhat.com> – 2.27-16
– Auto-sync with upstream branch release/2.27/master,
commit 80c83e91140d429c73f79092fdb75eed0fb71da0:
– libio: Avoid _allocate_buffer, _free_buffer function pointers (swbz#23236)
– posix: Fix posix_spawnp to not execute invalid binaries in non compat mode
(swbz#23264)
– elf: Improve DST handling (swbz#23102, swbz#21942, swbz#18018, swbz#23259)
* Thu May 24 2018 Florian Weimer <fweimer@redhat.com> – 2.27-15
– Rebuild to add back .symtab section in ld.so (#1570246)
– Switch to upstream version of libidn2 removal (#1452750)
– Auto-sync with upstream branch release/2.27/master,
commit 50df56ca86a281c8fd99a8100aac75539813788d:
– CVE-2018-11237: Buffer overflow in mempcpy for Xeon Phi (#1581275)
* Thu May 17 2018 Florian Weimer <fweimer@redhat.com> – 2.27-14
– Do not run telinit u on upgrades (#1579225)
* Tue May 15 2018 Florian Weimer <fweimer@redhat.com> – 2.27-13
– Auto-sync with upstream branch release/2.27/master,
commit 0cd4a5e87f6885a2f15fe8e7eb7378d010cdb606:
– sunrpc: Remove stray exports (#1577210)
– gd_GB: Fix typo in abbreviated “May” (swbz#23152)
– CVE-2018-11236: realpath: Fix path length overflow (#1581270, swbz#22786)
– elf: Fix stack overflow with huge PT_NOTE segment (swbz#20419)
– resolv: Fully initialize struct mmsghdr in send_dg (swbz#23037)
– manual: Various fixes to the mbstouwcs example, and mbrtowc update
– getlogin_r: return early when linux sentinel value is set
– resolv: Fix crash in resolver on memory allocation failure (swbz#23005)
– Fix signed integer overflow in random_r (swbz#17343)
– RISC-V: fix struct kernel_sigaction to match the kernel version (swbz#23069)
* Fri May 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-12
– Unconditionally build downstream with -mstackrealign for now
* Fri May 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-11
– Inherit compiler flags in the original order
* Fri May 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-10
– Inherit the -mstackrealign flag if it is set
* Fri May 11 2018 Florian Weimer <fweimer@redhat.com> – 2.27-9
– Use /usr/bin/python3 for benchmarks scripts (#1577223)
——————————————————————————–
References:

[ 1 ] Bug #1653993 – CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c
https://bugzilla.redhat.com/show_bug.cgi?id=1653993
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2018-060302dc83’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

AutorZvonimir Bosnjak
Cert idNCERT-REF-2018-12-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostatak programskog paketa ghostscript

Otkriven je sigurnosni nedostatak u programskom paketu ghostscript za operacijski sustav Red Hat. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog...

Close