Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.703481
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 3481-1 (glibc - security update)
Summary:Several vulnerabilities have been fixed;in the GNU C Library, glibc.;;The first vulnerability listed below is considered to have critical;impact.;;CVE-2015-7547;The Google Security Team and Red Hat discovered that the glibc;host name resolver function, getaddrinfo, when processing;AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its;internal buffers, leading to a stack-based buffer overflow and;arbitrary code execution. This vulnerability affects most;applications which perform host name resolution using getaddrinfo,;including system services.;;CVE-2015-8776;Adam Nielsen discovered that if an invalid separated time value;is passed to strftime, the strftime function could crash or leak;information. Applications normally pass only valid time;information to strftime. No affected applications are known.;;CVE-2015-8778;Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r;functions did not check the size argument properly, leading to a;crash (denial of service) for certain arguments. No impacted;applications are known at this time.;;CVE-2015-8779;The catopen function contains several unbound stack allocations;(stack overflows), causing it the crash the process (denial of;service). No applications where this issue has a security impact;are currently known.;;While it is only necessary to ensure that all processes are not using;the old glibc anymore, it is recommended to reboot the machines after;applying the security upgrade.
Description:Summary:
Several vulnerabilities have been fixed
in the GNU C Library, glibc.

The first vulnerability listed below is considered to have critical
impact.

CVE-2015-7547
The Google Security Team and Red Hat discovered that the glibc
host name resolver function, getaddrinfo, when processing
AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its
internal buffers, leading to a stack-based buffer overflow and
arbitrary code execution. This vulnerability affects most
applications which perform host name resolution using getaddrinfo,
including system services.

CVE-2015-8776
Adam Nielsen discovered that if an invalid separated time value
is passed to strftime, the strftime function could crash or leak
information. Applications normally pass only valid time
information to strftime. No affected applications are known.

CVE-2015-8778
Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r
functions did not check the size argument properly, leading to a
crash (denial of service) for certain arguments. No impacted
applications are known at this time.

CVE-2015-8779
The catopen function contains several unbound stack allocations
(stack overflows), causing it the crash the process (denial of
service). No applications where this issue has a security impact
are currently known.

While it is only necessary to ensure that all processes are not using
the old glibc anymore, it is recommended to reboot the machines after
applying the security upgrade.

Affected Software/OS:
glibc on Debian Linux

Solution:
For the stable distribution (jessie),
these problems have been fixed in version 2.19-18+deb8u3.

For the unstable distribution (sid), these problems will be fixed in
version 2.21-8.

We recommend that you upgrade your glibc packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-7547
BugTraq ID: 83265
http://www.securityfocus.com/bid/83265
Bugtraq: 20190904 SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X (Google Search)
https://seclists.org/bugtraq/2019/Sep/7
CERT/CC vulnerability note: VU#457759
https://www.kb.cert.org/vuls/id/457759
Debian Security Information: DSA-3480 (Google Search)
http://www.debian.org/security/2016/dsa-3480
Debian Security Information: DSA-3481 (Google Search)
http://www.debian.org/security/2016/dsa-3481
https://www.exploit-db.com/exploits/39454/
https://www.exploit-db.com/exploits/40339/
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177412.html
http://seclists.org/fulldisclosure/2019/Sep/7
http://seclists.org/fulldisclosure/2021/Sep/0
https://security.gentoo.org/glsa/201602-02
HPdes Security Advisory: HPSBGN03442
http://marc.info/?l=bugtraq&m=145690841819314&w=2
HPdes Security Advisory: HPSBGN03547
http://marc.info/?l=bugtraq&m=145596041017029&w=2
HPdes Security Advisory: HPSBGN03549
http://marc.info/?l=bugtraq&m=145672440608228&w=2
HPdes Security Advisory: HPSBGN03551
http://marc.info/?l=bugtraq&m=145857691004892&w=2
HPdes Security Advisory: HPSBGN03582
http://marc.info/?l=bugtraq&m=146161017210491&w=2
http://packetstormsecurity.com/files/135802/glibc-getaddrinfo-Stack-Based-Buffer-Overflow.html
http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://ics-cert.us-cert.gov/advisories/ICSA-16-103-01
https://www.tenable.com/security/research/tra-2017-08
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
RedHat Security Advisories: RHSA-2016:0175
http://rhn.redhat.com/errata/RHSA-2016-0175.html
RedHat Security Advisories: RHSA-2016:0176
http://rhn.redhat.com/errata/RHSA-2016-0176.html
RedHat Security Advisories: RHSA-2016:0225
http://rhn.redhat.com/errata/RHSA-2016-0225.html
RedHat Security Advisories: RHSA-2016:0277
http://rhn.redhat.com/errata/RHSA-2016-0277.html
http://www.securitytracker.com/id/1035020
SuSE Security Announcement: SUSE-SU-2016:0470 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html
SuSE Security Announcement: SUSE-SU-2016:0471 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html
SuSE Security Announcement: SUSE-SU-2016:0472 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html
SuSE Security Announcement: SUSE-SU-2016:0473 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html
SuSE Security Announcement: openSUSE-SU-2016:0510 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html
SuSE Security Announcement: openSUSE-SU-2016:0511 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00043.html
SuSE Security Announcement: openSUSE-SU-2016:0512 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html
http://ubuntu.com/usn/usn-2900-1
Common Vulnerability Exposure (CVE) ID: CVE-2015-8776
BugTraq ID: 83277
http://www.securityfocus.com/bid/83277
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html
https://security.gentoo.org/glsa/201702-11
https://www.sourceware.org/ml/libc-alpha/2016-02/msg00502.html
http://www.openwall.com/lists/oss-security/2016/01/19/11
http://www.openwall.com/lists/oss-security/2016/01/20/1
RedHat Security Advisories: RHSA-2017:0680
http://rhn.redhat.com/errata/RHSA-2017-0680.html
RedHat Security Advisories: RHSA-2017:1916
https://access.redhat.com/errata/RHSA-2017:1916
http://www.ubuntu.com/usn/USN-2985-1
http://www.ubuntu.com/usn/USN-2985-2
Common Vulnerability Exposure (CVE) ID: CVE-2015-8778
BugTraq ID: 83275
http://www.securityfocus.com/bid/83275
Common Vulnerability Exposure (CVE) ID: CVE-2015-8779
BugTraq ID: 82244
http://www.securityfocus.com/bid/82244
CopyrightCopyright (C) 2016 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.