Advisory ROSA-SA-2024-2332

Software: glibc 2.28
OS: ROSA Virtualization 2.1

package_evr_string: glibc-2.28-225.rv3.src.rpm

CVE-ID: CVE-2023-4527
BDU-ID: 2023-06332
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the getaddrinfo function of the glibc system library is related to reading data outside of buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update glibc command

CVE-ID: CVE-2023-4813
BDU-ID: 2023-05969
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the nsswitch.conf component of the library that provides system calls and basic glibc functions is related to memory usage after it has been freed. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update glibc command

CVE-ID: CVE-2023-4806
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: An error has been detected in glibc. In an extremely rare situation, the getaddrinfo function may access freed memory, causing the application to crash. This issue can only be exploited if the NSS module only implements the nss_gethostbyname2_r and nss_getcanonname_r interceptors without implementing the nss*_gethostbyname3_r interceptor. The resolved name must return a large number of IPv6 and IPv4 and the getaddrinfo function call must have the AF_INET6 address family with flags AI_CANONNAME, AI_ALL and AI_V4MAPPED.
CVE-STATUS: Fixed
CVE-REV: Run the yum update glibc command to close it

CVE-ID: CVE-2023-4911
BDU-ID: 2023-06269
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the dynamic loader ld.so of the glibc library is related to a buffer overflow in dynamic memory. Exploitation of the vulnerability could allow an attacker to execute arbitrary code with elevated privileges by running binaries with SUID permissions and creating the GLIBC_TUNABLES environment variable.
CVE-STATUS: Fixed
CVE-REV: Run yum update glibc command to close it