[SECURITY] [DLA 561-1] uclibc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 561-1] uclibc security update
From: Markus Koschany <apo@debian.org>
Date: Tue, 26 Jul 2016 11:55:59 +0200
Message-id: <[🔎] c2e718f0-16a1-bac2-bfce-aa556763f8bb@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : uclibc
Version        : 0.9.32-1+deb7u1
CVE ID         : CVE-2016-2224 CVE-2016-2225 CVE-2016-6264

Several vulnerabilities have been discovered in uClibc, an
implementation of the standard C library that is much smaller than
glibc, which makes it useful for embedded systems.


CVE-2016-2224
    Fix possible denial of service via a specially crafted DNS reply
    that could cause an infinite loop.
	
CVE-2016-2225
    Fix possible denial of service via specially crafted packet that
    will make the parser in libc/inet/resolv.c terminate early.

CVE-2016-6264
    It was found that 'BLT' instruction in libc/string/arm/memset.S
    checks for signed values. If the parameter of memset is negative,
    then value added to the PC will be large. An attacker that controls
    the length parameter of memset can also control the value of PC
    register.

For Debian 7 "Wheezy", these problems have been fixed in version
0.9.32-1+deb7u1.

We recommend that you upgrade your uclibc packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXlzOvXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkFSoP/2STgeI/Qb8ZeKFOOSrz7w5i
vuotEYhKuptGi5oCCAMyB7GotyFDoqPJZNHjdS/Wf6lfTyaLEEwt24cS6rs6XZ6Q
q+xnihztJyFbAE+Y2FVQFiFlTwE7j795td8eP0/mFLH4ccf0kTvUVpCRMzfRXi4n
0BHGfesjDyuWkqkGUAcHbiT9bB7V0PtXggsX+6Z43GFDwzUwNLM7aO7qMxX6XZWt
CigLnVdu22cC2sOAJEw29+/eNtZ8THaKXNqqOkduoeXs8lwpjy+fZta4wKLBFssi
AKyhSnU5PzEzmpyLLzridvvQXRGIo651fusBNOyA8/trN39GGE2rJzXjXyQNb55I
C/GWNZPA529PVjxVkaLn25AOaEJU4YVB3l+/EZd4YDcwCHid+Q8HNovoY73ERr2F
YmRaRkdDD7XPpQkNyJH3EbCaHp1iLTka64eHx2WMyndo+ECXiRlfEBPqMGBlXlJF
x/Ioz+IVi9dtYvEb052M0IiCy50kGh3ria9gMsAB9qqqaJf0iBYq7Ij9nMf8llBi
BdsFvPYSEdEkY+WPrtqnzm5+lptC8I+QVZpA8xzTaR7X96aj0pUB4HIhSbL4AwdW
fZzjLUGB64pZnOhdomf1xHCbHnrScSIEQr7ylfODwp7GIU67xAgn1RGI5CeoXx41
3nA1wig+C/41lyqDCka9
=h4KS
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 560-1] cacti security update
Next by Date: [SECURITY] [DLA 562-1] gosa security update
Previous by thread: [SECURITY] [DLA 560-1] cacti security update
Next by thread: [SECURITY] [DLA 562-1] gosa security update
Index(es):
- Date
- Thread