Debian Security Advisory
DSA-5514-1 glibc -- security update
- Date Reported:
- 03 Oct 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-4911.
- More information:
The Qualys Research Labs discovered a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. An attacker can exploit this flaw for privilege escalation.
Details can be found in the Qualys advisory at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u7.
For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u3. This update includes fixes for CVE-2023-4527 and CVE-2023-4806 originally planned for the upcoming bookworm point release.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc