Security Information / 2023 / Security Information -- DSA-5514-1 glibc

Debian Security Advisory

DSA-5514-1 glibc -- security update

Date Reported:

03 Oct 2023

Affected Packages:

glibc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2023-4911.

More information:

The Qualys Research Labs discovered a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. An attacker can exploit this flaw for privilege escalation.

Details can be found in the Qualys advisory at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u7.

For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u3. This update includes fixes for CVE-2023-4527 and CVE-2023-4806 originally planned for the upcoming bookworm point release.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc