Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0188 eglibc security update 28 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: eglibc Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-0235 CVE-2014-7817 CVE-2014-6040 CVE-2012-6656 Reference: ESB-2015.0035 ESB-2014.2457 Original Bulletin: http://www.debian.org/security/2015/dsa-3142 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3142-1 security@debian.org http://www.debian.org/security/ Florian Weimer January 27, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : eglibc CVE ID : CVE-2012-6656 CVE-2014-6040 CVE-2014-7817 CVE-2015-0235 Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library: CVE-2015-0235 Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions. The original glibc bug was reported by Peter Klotz. CVE-2014-7817 Tim Waugh of Red Hat discovered that the WRDE_NOCMD option of the wordexp function did not suppress command execution in all cases. This allows a context-dependent attacker to execute shell commands. CVE-2012-6656 CVE-2014-6040 The charset conversion code for certain IBM multi-byte code pages could perform an out-of-bounds array access, causing the process to crash. In some scenarios, this allows a remote attacker to cause a persistent denial of service. For the stable distribution (wheezy), these problems have been fixed in version 2.13-38+deb7u7. For the upcoming stable distribution (jessie) and the unstable distribution (sid), the CVE-2015-0235 issue has been fixed in version 2.18-1 of the glibc package. We recommend that you upgrade your eglibc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJUx7lnAAoJEL97/wQC1SS+jR0H/jMCNxCkr3qFKwpMAZst/Xwb AVVKtVQoDkknriA7ElMhWWKSOfLVgWQv4WE72WVwuMcQxaiFxkNoSHEvNoAevwf0 dfRpq4rfWAuRgw531DPQxSyIr9UjGFjTZ9mXVv9RW1+LtjouJb6Rp6AGKvaLpGM+ lDjiJvR2WcdTez6EGXbQdENa1xiKoxxEfJlSN5KE+9CuLeqDqeU0OKiWZ18GwNUX 5Gmyo9JP3LmWuYJxD0RKWf9dHEJLHAZ+qHGSKvFKpFg7yH7W7Pt5OoorGNR969RY BSpxLbhSgUBCx5TMT/MdwY1BloEzFbO6sE66WRkv+wPuQUGceks/bM9te880Hws= =+mSs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVMgzUBLndAQH1ShLAQKNUw//XQFgGD9iy95Es5IKuRylF8Zn9CAziEz4 y3D5v5qOXOY7JW+OnFdIkhL7dKIQqS/iXFgPB49hIyOeAKOVW0PU62d4+OTZfHqJ k3kg0h9IFaBt4vOUHqI5NhizdGzUai7r4KRd6DgDsbOZxQPrRm2pLg2X3RwGgZAz 2A3CmldvVXTQ8SQvVJuKAIA+LRITRQsbglJK8/QngsTYVbswJqd/5J1Njh+Bzyjk gTdHXpNJiXsbQhU4x+UXCkDyXL/jQR+cOFrwYjfqDGVemIWwIbcar7/fGUkRzU3b yeAO/HC2cc/9XFj36Q+JFLs6jwHQ71p/+iFdQ9WKt8EbNSe5pizg+b578kyQ2FeO wXvYdWmh0+zyEF96B1Q8ernfqsXqebEU9zOmlAHr6+1uTsgjMVIFyDjA1EBncXX5 ROFdP+LRav8O0Ia3YwNBbzaBTU+BmlVM1dJebGYC+SuLOqkIrUyv51P7WvUqsrb2 64lV6bt0Pi1AW+lufWuyy5kEtwlnmeuEmeoKqOfy0J7wikB69vs1e7kGfISTk6Wi CVNMSqMIUi282yn2kmSXGdr3ILrsy06jSKZBE2i/tJoW3VD4K9Q9gNSJsdpepHiA okGWyeC03+lDrVVycYsg7MxY8d5JZeValukapvi/lYt6brgJ8f5u6U7gi4b4eZfk JhXegl5OKnk= =t2OE -----END PGP SIGNATURE-----