[DLA 43-1] eglibc security update

To: debian-lts-announce@lists.debian.org
Subject: [DLA 43-1] eglibc security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 2 Sep 2014 20:03:40 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.64.1409022000540.16551@tor.gallien.in-chemnitz.de>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package        : eglibc
Version        : 2.11.3-4+deb6u1
CVE ID         : CVE-2014-0475 CVE-2014-5119

CVE-2014-0475

 Stephane Chazelas discovered that the GNU C library, glibc, processed
 ".." path segments in locale-related environment variables, possibly
 allowing attackers to circumvent intended restrictions, such as
 ForceCommand in OpenSSH, assuming that they can supply crafted locale
 settings.

CVE-2014-5119

 Tavis Ormandy discovered a heap-based buffer overflow in the
 transliteration module loading code in eglibc, Debian's version of the
 GNU C Library.  As a result, an attacker who can supply a crafted
 destination character set argument to iconv-related character
 conversation functions could achieve arbitrary code execution.

 This update removes support of loadable gconv transliteration modules.
 Besides the security vulnerability, the module loading code had
 functionality defects which prevented it from working for the intended
 purpose.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFUBgZ/02K2KlS5mJARAq6lAJ0URl8fXxMnPAYug6hbZaAPAsQ/OgCfV1iz
vZyi9bxCvcWm3RTgnXkSECw=
=WC1a
-----END PGP SIGNATURE-----

Reply to:

Next by Date: [SECURITY] [DLA 44-1] libwpd security update
Next by thread: [SECURITY] [DLA 44-1] libwpd security update
Index(es):
- Date
- Thread