7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.017 Low
EPSS
Percentile
87.7%
res_query in libresolv in glibc before 2.25 allows remote attackers to
cause a denial of service (NULL pointer dereference and process crash).
Author | Note |
---|---|
tyhicks | See test case in the bug no fix upstream as of 2016-09-09 |
sbeattie | patch committed upstream on 2016-12-31; renames symbol so backporting may not be easy. commit included in glibc 2.25 release debian fixed this in unstable in 2.24-9 fixing this does indeed break the internal ABI between libnss_dns and libresolv. We’re backing out this change. reverted from zesty in 2.24-9ubuntu2 by infinity. For existing releases, DO NOT APPLY THIS PATCH due to ABI breakage. Fix will come in to 17.10 when we get glibc-2.25 as we do not guarantee ABI for libresolv internals across different glibc releases, just for upgrades for same versions e.g. (2.24 -> 2.24) REPEAT: DO NOT APPLY THIS PATCH (UNMODIFIED) IN A STABLE RELEASE |
mdeslaur | marking this issue as ignored, as we will not be fixing this in Ubuntu stable releases. |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.017 Low
EPSS
Percentile
87.7%