[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 416-1] eglibc security update



Package        : eglibc
Version        : 2.11.3-4+deb6u11
CVE ID         : CVE-2015-7547

Several vulnerabilities have been fixed in the Debian GNU C Library,
eglibc:

CVE-2015-7547
    The Google Security Team and Red Hat discovered that the glibc
    host name resolver function, getaddrinfo, when processing
    AF_UNSPEC queries (for dual A/AAAA lookups), could mismange its
    internal buffers, leading to a stack-based buffer overflow and
    arbitrary code execution.  This vulnerability affects most
    applications which perform host name resolution using getaddrinfo,
    including system services.

The following fixed vulnerabilities currently lack CVE assignment:

    Andreas Schwab reported a memory leak (memory allocation without a
    matching deallocation) while processing certain DNS answers in
    getaddrinfo, related to the _nss_dns_gethostbyname4_r function.
    This vulnerability could lead to a denial of service.

For Debian 6 "Squeeze", these issues have been fixed in eglibc version
eglibc_2.11.3-4+deb6u11. In addition this version corrects the fix for
CVE-2014-9761 in Squeeze, which have wrongly marked a few symbols as
public instead of private.

While it is only necessary to ensure that all processes are not using
the old eglibc anymore, it is recommended to reboot the machines after
applying the security upgrade.

We recommend you to upgrade your eglibc packages.

Attachment: signature.asc
Description: PGP signature


Reply to: