Univention Bugzilla – Bug 40676
eglibc: Multiple issues (3.2)
Last modified: 2016-02-17 18:53:45 CET
Upstream Debian package version 2.11.3-4+deb6u7 fixes the following issue: * Denial of service in nss_files (CVE-2014-8121) Upstream Debian package version 2.11.3-4+deb6u10 fixes the following issues: * nan function unbounded stack allocation (CVE-2014-9761) * If an invalid separated time value is passed to strftime, the strftime function could crash or leak information. No affected applications are known (CVE-2015-8776) * The rarely-used hcreate and hcreate_r functions did not check the size argument properly, leading to a crash (denial of service) for certain arguments. No impacted applications are known at this time (CVE-2015-8778) * The catopen function contains several unbound stack allocations (stack overflows), causing it the crash the process (denial of service). No applications where this issue has a security impact are currently known (CVE-2015-8779)
Upstream Debian package version 2.11.3-4+deb6u11 fixes the following issues: * getaddrinfo, when processing AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its internal buffers, leading to a stack-based buffer overflow and arbitrary code execution. This vulnerability affects most applications which perform host name resolution using getaddrinfo, including system services (CVE-2015-7547) * Denial of service due to memory leak while processing certain DNS answers in getaddrinfo, related to the _nss_dns_gethostbyname4_r function (No CVE yet)
The upstream package has been imported and built without any additional patches. Advisory: eglibc.yaml
reproducible with 2.11.3-4.24.201508171457 (CVE-2015-7547-client) OK - CVE-2015-7547-client OK with 2.11.3-4.32.201602161815, amd64/i386 OK - ucs-test (standard tests), amd64/i386 OK - YAML
<http://errata.software-univention.de/ucs/3.2/398.html>