Test ID:	1.3.6.1.4.1.25623.1.0.120455
Category:	Amazon Linux Local Security Checks
Title:	Amazon Linux: Security Advisory (ALAS-2015-468)
Summary:	The remote host is missing an update for the 'glibc' package(s) announced via the ALAS-2015-468 advisory.
Description:	Summary: The remote host is missing an update for the 'glibc' package(s) announced via the ALAS-2015-468 advisory. Vulnerability Insight: An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application. (CVE-2014-6040) It was found that the wordexp() function would perform command substitution even when the WRDE_NOCMD flag was specified. An attacker able to provide specially crafted input to an application using the wordexp() function, and not sanitizing the input correctly, could potentially use this flaw to execute arbitrary commands with the credentials of the user running that application. (CVE-2014-7817) Affected Software/OS: 'glibc' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-6040 62100 http://secunia.com/advisories/62100 62146 http://secunia.com/advisories/62146 69472 http://www.securityfocus.com/bid/69472 DSA-3142 http://www.debian.org/security/2015/dsa-3142 GLSA-201602-02 https://security.gentoo.org/glsa/201602-02 MDVSA-2014:175 http://www.mandriva.com/security/advisories?name=MDVSA-2014:175 USN-2432-1 http://ubuntu.com/usn/usn-2432-1 [oss-security] 20140829 CVE request: glibc character set conversion from IBM code pages http://www.openwall.com/lists/oss-security/2014/08/29/3 [oss-security] 20140902 Re: CVE request: glibc character set conversion from IBM code pages http://www.openwall.com/lists/oss-security/2014/09/02/1 http://linux.oracle.com/errata/ELSA-2015-0016.html https://sourceware.org/bugzilla/show_bug.cgi?id=17325 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=41488498b6 Common Vulnerability Exposure (CVE) ID: CVE-2014-7817 71216 http://www.securityfocus.com/bid/71216 RHSA-2014:2023 http://rhn.redhat.com/errata/RHSA-2014-2023.html http://www.ubuntu.com/usn/USN-2432-1 [libc-alpha] 20141119 [COMMITTED] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html [oss-security] 20141120 CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified http://seclists.org/oss-sec/2014/q4/730 gnu-glibc-cve20147817-command-exec(98852) https://exchange.xforce.ibmcloud.com/vulnerabilities/98852 http://linux.oracle.com/errata/ELSA-2015-0092.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://sourceware.org/bugzilla/show_bug.cgi?id=17625 https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c openSUSE-SU-2015:0351 http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
Copyright	Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.