Re: [SECURITY] [DSA 3481-1] glibc security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3481-1] glibc security update
From: Peter Ludikovsky <peter@ludikovsky.name>
Date: Tue, 16 Feb 2016 16:32:00 +0100
Message-id: <[🔎] 56C340F0.4050603@ludikovsky.name>
In-reply-to: <E1aVgSR-0003M5-RI@master.debian.org>
References: <E1aVgSR-0003M5-RI@master.debian.org>

Hello,

A question to those more knowledgeable: we're using our own DNS
servers for all lookups, and those do recursive lookup for any
external addresses. Am I right to assume that Bind9 uses it's own
implementation for DNS lookups? Or are those now basically ticking
time bombs?

Regards,
Peter Ludikovsky

Am 16.02.2016 um 15:18 schrieb Salvatore Bonaccorso:
> -------------------------------------------------------------------------
>
> 
Debian Security Advisory DSA-3481-1                   security@debian.org
> https://www.debian.org/security/                           Florian
> Weimer February 16, 2016
> https://www.debian.org/security/faq 
> -------------------------------------------------------------------------
>
>  Package        : glibc CVE ID         : CVE-2015-7547
> CVE-2015-8776 CVE-2015-8778 CVE-2015-8779 Debian Bug     : 812441
> 812445 812455
> 
> Several vulnerabilities have been fixed in the GNU C Library,
> glibc.
> 
> The first vulnerability listed below is considered to have
> critical impact.
> 
> CVE-2015-7547
> 
> The Google Security Team and Red Hat discovered that the glibc host
> name resolver function, getaddrinfo, when processing AF_UNSPEC
> queries (for dual A/AAAA lookups), could mismanage its internal
> buffers, leading to a stack-based buffer overflow and arbitrary
> code execution.  This vulnerability affects most applications which
> perform host name resolution using getaddrinfo, including system
> services.
> 
> CVE-2015-8776
> 
> Adam Nielsen discovered that if an invalid separated time value is
> passed to strftime, the strftime function could crash or leak 
> information.  Applications normally pass only valid time 
> information to strftime; no affected applications are known.
> 
> CVE-2015-8778
> 
> Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r 
> functions did not check the size argument properly, leading to a 
> crash (denial of service) for certain arguments.  No impacted 
> applications are known at this time.
> 
> CVE-2015-8779
> 
> The catopen function contains several unbound stack allocations 
> (stack overflows), causing it the crash the process (denial of 
> service).  No applications where this issue has a security impact 
> are currently known.
> 
> While it is only necessary to ensure that all processes are not
> using the old glibc anymore, it is recommended to reboot the
> machines after applying the security upgrade.
> 
> For the stable distribution (jessie), these problems have been
> fixed in version 2.19-18+deb8u3.
> 
> For the unstable distribution (sid), these problems will be fixed
> in version 2.21-8.
> 
> We recommend that you upgrade your glibc packages.
> 
> Further information about Debian Security Advisories, how to apply 
> these updates to your system and frequently asked questions can be 
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3481-1] glibc security update
  - From: Noah Meyerhans <noahm@debian.org>
- Re: [SECURITY] [DSA 3481-1] glibc security update
  - From: Dominic Hargreaves <dom@earth.li>

Prev by Date: RE: [SECURITY] [DSA 3473-1] nginx security update
Next by Date: Re: [SECURITY] [DSA 3481-1] glibc security update
Previous by thread: RE: [SECURITY] [DSA 3473-1] nginx security update
Next by thread: Re: [SECURITY] [DSA 3481-1] glibc security update
Index(es):
- Date
- Thread