Security Bulletin: z/TPF is affected by GNU C library (glibc) vulnerabilities

Summary

The GNU C library (glibc) provided with the z/TPF system was updated to address the vulnerabilities described by CVE-2011-1071 and CVE-2014-9761.

Vulnerability Details

CVEID:CVE-2011-1071
DESCRIPTION: GNU C Library could allow a remote attacker to execute arbitrary code on the system, caused by an error in the fnmatch() function. By persuading the application into using the function, a remote attacker could exploit this vulnerability to corrupt the stack and execute arbitrary code on the system.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/65671&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2014-9761
DESCRIPTION: GNU C Library (glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the nan function. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111085&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

z/TPF Enterprise Edition Version 1.1

Remediation/Fixes

Product

| VRMF |APAR|Remediation/First Fix
—|—|—|—
z/TPF | 1.1 | APAR PJ45634 | Apply the APAR, which is available for download from the TPF Family Product: Maintenance web page.

Workarounds and Mitigations

None.