Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0080 Moderate: glibc security and bug fix update 25 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: glibc Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-4609 CVE-2009-5029 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-0058.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running glibc check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: glibc security and bug fix update Advisory ID: RHSA-2012:0058-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0058.html Issue date: 2012-01-24 CVE Names: CVE-2009-5029 CVE-2011-4609 ===================================================================== 1. Summary: Updated glibc packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2009-5029) A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time. (CVE-2011-4609) This update also fixes the following bugs: * glibc had incorrect information for numeric separators and groupings for specific French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the wrong separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed. (BZ#754116) * The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members, resulting in applications such as "id" failing to list all the groups a particular user was a member of. With this update, group parsing has been fixed. (BZ#766484) * glibc incorrectly allocated too much memory due to a race condition within its own malloc routines. This could cause a multi-threaded application to allocate more memory than was expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables. (BZ#769594) Users should upgrade to these updated packages, which contain backported patches to resolve these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 761245 - CVE-2009-5029 glibc: __tzfile_read integer overflow to buffer overflow 767299 - CVE-2011-4609 glibc: svc_run() produces high cpu usage when accept() fails with EMFILE error 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-headers-2.12-1.47.el6_2.5.i686.rpm glibc-utils-2.12-1.47.el6_2.5.i686.rpm nscd-2.12-1.47.el6_2.5.i686.rpm x86_64: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-2.12-1.47.el6_2.5.x86_64.rpm glibc-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.x86_64.rpm glibc-headers-2.12-1.47.el6_2.5.x86_64.rpm glibc-utils-2.12-1.47.el6_2.5.x86_64.rpm nscd-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm x86_64: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-2.12-1.47.el6_2.5.x86_64.rpm glibc-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.x86_64.rpm glibc-headers-2.12-1.47.el6_2.5.x86_64.rpm glibc-utils-2.12-1.47.el6_2.5.x86_64.rpm nscd-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-headers-2.12-1.47.el6_2.5.i686.rpm glibc-utils-2.12-1.47.el6_2.5.i686.rpm nscd-2.12-1.47.el6_2.5.i686.rpm ppc64: glibc-2.12-1.47.el6_2.5.ppc.rpm glibc-2.12-1.47.el6_2.5.ppc64.rpm glibc-common-2.12-1.47.el6_2.5.ppc64.rpm glibc-debuginfo-2.12-1.47.el6_2.5.ppc.rpm glibc-debuginfo-2.12-1.47.el6_2.5.ppc64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.ppc.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.ppc64.rpm glibc-devel-2.12-1.47.el6_2.5.ppc.rpm glibc-devel-2.12-1.47.el6_2.5.ppc64.rpm glibc-headers-2.12-1.47.el6_2.5.ppc64.rpm glibc-utils-2.12-1.47.el6_2.5.ppc64.rpm nscd-2.12-1.47.el6_2.5.ppc64.rpm s390x: glibc-2.12-1.47.el6_2.5.s390.rpm glibc-2.12-1.47.el6_2.5.s390x.rpm glibc-common-2.12-1.47.el6_2.5.s390x.rpm glibc-debuginfo-2.12-1.47.el6_2.5.s390.rpm glibc-debuginfo-2.12-1.47.el6_2.5.s390x.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.s390.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.s390x.rpm glibc-devel-2.12-1.47.el6_2.5.s390.rpm glibc-devel-2.12-1.47.el6_2.5.s390x.rpm glibc-headers-2.12-1.47.el6_2.5.s390x.rpm glibc-utils-2.12-1.47.el6_2.5.s390x.rpm nscd-2.12-1.47.el6_2.5.s390x.rpm x86_64: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-2.12-1.47.el6_2.5.x86_64.rpm glibc-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.x86_64.rpm glibc-headers-2.12-1.47.el6_2.5.x86_64.rpm glibc-utils-2.12-1.47.el6_2.5.x86_64.rpm nscd-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm ppc64: glibc-debuginfo-2.12-1.47.el6_2.5.ppc.rpm glibc-debuginfo-2.12-1.47.el6_2.5.ppc64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.ppc.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.ppc64.rpm glibc-static-2.12-1.47.el6_2.5.ppc.rpm glibc-static-2.12-1.47.el6_2.5.ppc64.rpm s390x: glibc-debuginfo-2.12-1.47.el6_2.5.s390.rpm glibc-debuginfo-2.12-1.47.el6_2.5.s390x.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.s390.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.s390x.rpm glibc-static-2.12-1.47.el6_2.5.s390.rpm glibc-static-2.12-1.47.el6_2.5.s390x.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-headers-2.12-1.47.el6_2.5.i686.rpm glibc-utils-2.12-1.47.el6_2.5.i686.rpm nscd-2.12-1.47.el6_2.5.i686.rpm x86_64: glibc-2.12-1.47.el6_2.5.i686.rpm glibc-2.12-1.47.el6_2.5.x86_64.rpm glibc-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-devel-2.12-1.47.el6_2.5.i686.rpm glibc-devel-2.12-1.47.el6_2.5.x86_64.rpm glibc-headers-2.12-1.47.el6_2.5.x86_64.rpm glibc-utils-2.12-1.47.el6_2.5.x86_64.rpm nscd-2.12-1.47.el6_2.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/glibc-2.12-1.47.el6_2.5.src.rpm i386: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm x86_64: glibc-debuginfo-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.5.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.5.x86_64.rpm glibc-static-2.12-1.47.el6_2.5.i686.rpm glibc-static-2.12-1.47.el6_2.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-5029.html https://www.redhat.com/security/data/cve/CVE-2011-4609.html https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHBA-2011-1179.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPHyRKXlSAg2UNWIIRApoWAKC4J5Xxsn2G+Z/DPy9ewnJLtWAAYwCaA3B+ LTuIiDvp3F1TwN7edxyBI6I= =hOeo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTx87fu4yVqjM2NGpAQJKuw/+JUy+YJSvgu1WDR/BRxZmZBvVxVpw+u6B KlSD2WquDZUIBSyyGGg2Y1KZRF1Icl9qrlls3kBUxU+QKXfeRwSX2lN9LPo88xhS dHzPfvFoxM3X1X99nN2Jex2KBI9gqPKJJIb8pgCx49UR/Qur+lovAVF+vt0M3dpS z2fOhN4loDaIl2C54fYUjRbJqYWbYBnEBps4bxVA9WPUNrUGE/JQQmy7AWnYj8u7 3q8IylXNmhYbEkJOeAmwOXStILIHYntot6BEV4xajbL6Dh91u53EZZs/5xinoS2u 8DX6dzmZcGe4hpqhNNaiFj/QDjZf29cpGyUOOOt4/cxVZ6aGLuIZhZe5Dtu/fU9q /wQA+6udk5YFUkUcpmVi9up4pZh4kIq+eC/A+4zKgd4/tNsBaXRHCmdhj7Pvbe9z S1Zpng4gy/DwW3g2GdTj26DMZKazXlp6TAHybxsswhG2Gtgy2zs27yaVfedp0WoI 8yezB9nfpz7U9ke91y+nE1dKGl8U+umOP/A+gOSQaNk0tf/OXbUOKslM9Eoza+1s QV6yLdMDBJGpFFVbXj5lZ2jankSbermMFxJptyPCmfLdslgn2a2hojNh3KNA+lEY yhLAVZDf7J+uhiW8/P46uC+k7JCYObuEeDHIfu2o87UC7dKsRPgbh4igvZnLVjEe lRNiooRNPeY= =fVe1 -----END PGP SIGNATURE-----