Full Disclosure mailing list archives
[ GLSA 201011-01 ] GNU C library: Multiple vulnerabilities
From: Tobias Heinlein <keytoaster () gentoo org>
Date: Mon, 15 Nov 2010 22:31:41 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201011-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GNU C library: Multiple vulnerabilities Date: November 15, 2010 Bugs: #285818, #325555, #330923, #335871, #341755 ID: 201011-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in glibc, the worst of which allowing local attackers to execute arbitrary code as root. Background ========== The GNU C library is the standard C library used by Gentoo Linux systems. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-libs/glibc < 2.11.2-r3 >= 2.11.2-r3 Description =========== Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LD_AUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Impact ====== A local attacker could execute arbitrary code as root, cause a Denial of Service, or gain privileges. Additionally, a user-assisted remote attacker could cause the execution of arbitrary code, and a context-dependent attacker could cause a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All GNU C library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.11.2-r3" References ========== [ 1 ] CVE-2009-4880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4880 [ 2 ] CVE-2009-4881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4881 [ 3 ] CVE-2010-0296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296 [ 4 ] CVE-2010-0830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830 [ 5 ] CVE-2010-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847 [ 6 ] CVE-2010-3856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201011-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 201011-01 ] GNU C library: Multiple vulnerabilities Tobias Heinlein (Nov 15)