Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1458 eglibc security update 27 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: eglibc Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-5119 Original Bulletin: http://www.debian.org/security/2014/dsa-3012 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running eglibc check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3012-1 security@debian.org http://www.debian.org/security/ Florian Weimer August 27, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : eglibc CVE ID : CVE-2014-5119 Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code in eglibc, Debian's version of the GNU C Library. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes support of loadable gconv transliteration modules. Besides the security vulnerability, the module loading code had functionality defects which prevented it from working for the intended purpose. For the stable distribution (wheezy), this problem has been fixed in version 2.13-38+deb7u4. We recommend that you upgrade your eglibc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJT/XeKAAoJEL97/wQC1SS+j6UH/iXVje1YYlf+O4SXDgGTT662 xnZg0itqS7wtV4uC4QgLziPMXUVvBHZKmekpYz3BT0ogTPBq/YOrdFwKRZimUH6k fpBQBc2FxN3yOabxxopwa3ooLo+P2/Cg620S7lU1HuFyK5x9MmTzA+iHBz5zXB/o 60xndeG6aouLwFEJZCdFc7Zlit4s4FNI6RYcP/iWQF96nIO5EcfC2bT36Y+byC0a E12oBWZH+wkGzEIwfwgWTPTqFPYGO/gy15f04dJZMVg8Mg9GUEe3/jbF+UVp7Piv KxEeFhgKP1QTTFmikLj6FYOQ9eeC1N4We2WTupWfHs82y3a+SspeiohyKEjRWk4= =eGnl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU/13gBLndAQH1ShLAQJ4rxAAqZHOdW+IEGSq3gCXr/og8tJudDVHM/gZ jvDQIJ1TsM3M8QrMoOFQpdTAEuGnP6bKjsXKE2s5iLE1RbELBsIJn3GNDwzduQpN NIcEebSk7qCn4/O4VAwMhK/SYY5jw0BjYfVxzk9kpLSRkwC0n6NZy95reOQRshqU AMXFOCz3aXb5G6hnfmG1cTxDTY/0SgizhxQeJV6xz34EYtZUOo6GyESsrTJQnkeI Sg7MIHKuKO7R5O6sdR0VM4Siochxv62Uw2c+R9ms+4kqHkxZxVkV25VvpLRV66V4 zlfeERhJpub1dLoj8XTSnQb6BACwnF+EKRznBXkAj1XpHii51ZTtcuAVGXTy3BQj ApGVlPpe3iKO5Id1F1CXjGrcdtDpiNwR2PM2P/A8eU7sgU/UorGRHnnHNRDnFOVj zDeESX46KKXADnoS2LfFmUxtosokEzc+VMvvqsjHz3XHFqrorNlBXJnZ0w926vKZ CY2uPkx7TZpsqZpvXVw6RUfXK9mCc942E5CIx1WBC6tywCGm/AhyUJafeSVVuzzS 50z1/K35Fa49ONbbfRC3zc0Jhdn8xFmKUo+jLquX25ixkNqnOcXcMfVE5XFM8dwe fW1ia8YjcPX1KC18KrpN+Oklurg3Eu+L/dZ4/8gP7NXRGN2/4N7ZhGWbHZW3kUYu vA3ArfdpitA= =ykUC -----END PGP SIGNATURE-----