Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1458
eglibc security update
27 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: eglibc
Publisher: Debian
Operating System: Debian GNU/Linux 7
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-5119
Original Bulletin:
http://www.debian.org/security/2014/dsa-3012
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running eglibc check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3012-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
August 27, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : eglibc
CVE ID : CVE-2014-5119
Tavis Ormandy discovered a heap-based buffer overflow in the
transliteration module loading code in eglibc, Debian's version of the
GNU C Library. As a result, an attacker who can supply a crafted
destination character set argument to iconv-related character
conversation functions could achieve arbitrary code execution.
This update removes support of loadable gconv transliteration modules.
Besides the security vulnerability, the module loading code had
functionality defects which prevented it from working for the intended
purpose.
For the stable distribution (wheezy), this problem has been fixed in
version 2.13-38+deb7u4.
We recommend that you upgrade your eglibc packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJT/XeKAAoJEL97/wQC1SS+j6UH/iXVje1YYlf+O4SXDgGTT662
xnZg0itqS7wtV4uC4QgLziPMXUVvBHZKmekpYz3BT0ogTPBq/YOrdFwKRZimUH6k
fpBQBc2FxN3yOabxxopwa3ooLo+P2/Cg620S7lU1HuFyK5x9MmTzA+iHBz5zXB/o
60xndeG6aouLwFEJZCdFc7Zlit4s4FNI6RYcP/iWQF96nIO5EcfC2bT36Y+byC0a
E12oBWZH+wkGzEIwfwgWTPTqFPYGO/gy15f04dJZMVg8Mg9GUEe3/jbF+UVp7Piv
KxEeFhgKP1QTTFmikLj6FYOQ9eeC1N4We2WTupWfHs82y3a+SspeiohyKEjRWk4=
=eGnl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU/13gBLndAQH1ShLAQJ4rxAAqZHOdW+IEGSq3gCXr/og8tJudDVHM/gZ
jvDQIJ1TsM3M8QrMoOFQpdTAEuGnP6bKjsXKE2s5iLE1RbELBsIJn3GNDwzduQpN
NIcEebSk7qCn4/O4VAwMhK/SYY5jw0BjYfVxzk9kpLSRkwC0n6NZy95reOQRshqU
AMXFOCz3aXb5G6hnfmG1cTxDTY/0SgizhxQeJV6xz34EYtZUOo6GyESsrTJQnkeI
Sg7MIHKuKO7R5O6sdR0VM4Siochxv62Uw2c+R9ms+4kqHkxZxVkV25VvpLRV66V4
zlfeERhJpub1dLoj8XTSnQb6BACwnF+EKRznBXkAj1XpHii51ZTtcuAVGXTy3BQj
ApGVlPpe3iKO5Id1F1CXjGrcdtDpiNwR2PM2P/A8eU7sgU/UorGRHnnHNRDnFOVj
zDeESX46KKXADnoS2LfFmUxtosokEzc+VMvvqsjHz3XHFqrorNlBXJnZ0w926vKZ
CY2uPkx7TZpsqZpvXVw6RUfXK9mCc942E5CIx1WBC6tywCGm/AhyUJafeSVVuzzS
50z1/K35Fa49ONbbfRC3zc0Jhdn8xFmKUo+jLquX25ixkNqnOcXcMfVE5XFM8dwe
fW1ia8YjcPX1KC18KrpN+Oklurg3Eu+L/dZ4/8gP7NXRGN2/4N7ZhGWbHZW3kUYu
vA3ArfdpitA=
=ykUC
-----END PGP SIGNATURE-----