Lucene search

K
debianDebianDEBIAN:DLA-416-1:26BFF
HistoryFeb 16, 2016 - 4:49 p.m.

[SECURITY] [DLA 416-1] eglibc security update

2016-02-1616:49:24
lists.debian.org
19

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Package : eglibc
Version : 2.11.3-4+deb6u11
CVE ID : CVE-2015-7547

Several vulnerabilities have been fixed in the Debian GNU C Library,
eglibc:

CVE-2015-7547
The Google Security Team and Red Hat discovered that the glibc
host name resolver function, getaddrinfo, when processing
AF_UNSPEC queries (for dual A/AAAA lookups), could mismange its
internal buffers, leading to a stack-based buffer overflow and
arbitrary code execution. This vulnerability affects most
applications which perform host name resolution using getaddrinfo,
including system services.

The following fixed vulnerabilities currently lack CVE assignment:

Andreas Schwab reported a memory leak (memory allocation without a
matching deallocation) while processing certain DNS answers in
getaddrinfo, related to the _nss_dns_gethostbyname4_r function.
This vulnerability could lead to a denial of service.

For Debian 6 "Squeeze", these issues have been fixed in eglibc version
eglibc_2.11.3-4+deb6u11. In addition this version corrects the fix for
CVE-2014-9761 in Squeeze, which have wrongly marked a few symbols as
public instead of private.

While it is only necessary to ensure that all processes are not using
the old eglibc anymore, it is recommended to reboot the machines after
applying the security upgrade.

We recommend you to upgrade your eglibc packages.
Attachment:
signature.asc
Description: PGP signature

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Related for DEBIAN:DLA-416-1:26BFF