| Description: | Summary:
The remote host is missing an update for the 'glibc'
package(s) announced via the referenced advisory.
Vulnerability Insight:
The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system cannot
function properly.
An off-by-one heap-based buffer overflow flaw was found in glibc's internal
__gconv_translit_find() function. An attacker able to make an application
call the iconv_open() function with a specially crafted argument could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-5119)
A directory traversal flaw was found in the way glibc loaded locale files.
An attacker able to make an application use a specially crafted locale name
value (for example, specified in an LC_* environment variable) could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-0475)
Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-0475.
All glibc users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.
Affected Software/OS:
glibc on Red Hat Enterprise Linux (v. 5 server),
Red Hat Enterprise Linux Desktop (v. 6),
Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Server (v. 7),
Red Hat Enterprise Linux Workstation (v. 6)
Solution:
Please Install the Updated Packages.
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
