MGASA-2017-0464

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0464.html

Import Source

https://advisories.mageia.org/MGASA-2017-0464.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0464

Related

Published

2017-12-22T10:31:08Z

Modified

2017-12-22T10:05:47Z

Summary

Updated glibc packages fix security vulnerabilities

Details

The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132, CVE-2017-12133).

The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow (CVE-2017-15670).

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak) (CVE-2017-15671).

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804).

As libtirpc is also affected by CVE-2017-12133, it's part of this update.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / glibc

Package

Name: glibc
Purl: pkg:rpm/mageia/glibc?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.22-26.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / libtirpc

Package

Name: libtirpc
Purl: pkg:rpm/mageia/libtirpc?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.1-5.1.mga6

Ecosystem specific

{
    "section": "core"
}