Horrible. ...however, might this be acceptable?
On Feb 22, 2015, at 11:08 PM, Aurelien Jarno <[email protected]> wrote: > Signed PGP part > ---------------------------------------------------------------------- > Debian Security Advisory DSA-3169-1 [email protected] > http://www.debian.org/security/ Aurelien Jarno > February 23, 2015 http://www.debian.org/security/faq > ---------------------------------------------------------------------- > > Package : eglibc > CVE ID : CVE-2012-3406 CVE-2013-7424 CVE-2014-4043 CVE-2014-9402 > CVE-2015-1472 CVE-2015-1473 > Debian Bug : 681888 751774 775572 777197 > > Several vulnerabilities have been fixed in eglibc, Debian's version of > the GNU C library: > > CVE-2012-3406 > The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka > glibc) 2.5, 2.12, and probably other versions does not "properly restrict > the use of" the alloca function when allocating the SPECS array, which > allows context-dependent attackers to bypass the FORTIFY_SOURCE > format-string protection mechanism and cause a denial of service (crash) > or possibly execute arbitrary code via a crafted format string using > positional parameters and a large number of format specifiers, a different > vulnerability than CVE-2012-3404 and CVE-2012-3405. > > CVE-2013-7424 > An invalid free flaw was found in glibc's getaddrinfo() function when used > with the AI_IDN flag. A remote attacker able to make an application call > this function could use this flaw to execute arbitrary code with the > permissions of the user running the application. Note that this flaw only > affected applications using glibc compiled with libidn support. > > CVE-2014-4043 > The posix_spawn_file_actions_addopen function in glibc before 2.20 does > not > copy its path argument in accordance with the POSIX specification, which > allows context-dependent attackers to trigger use-after-free > vulnerabilities. > > CVE-2014-9402 > The getnetbyname function in glibc 2.21 in earlier will enter an infinite > loop if the DNS backend is activated in the system Name Service Switch > configuration, and the DNS resolver receives a positive answer while > processing the network name. > > CVE-2015-1472 > CVE-2015-1473 > Under certain conditions wscanf can allocate too little memory for the > to-be-scanned arguments and overflow the allocated buffer. The incorrect > use of "__libc_use_alloca (newsize)" caused a different (and weaker) > policy to be enforced which could allow a denial of service attack. > > For the unstable distribution (sid), all the above issues are fixed in version > 2.19-15 of the glibc package. > > We recommend that you upgrade your eglibc packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: [email protected] > > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact [email protected] > Archive: https://lists.debian.org/[email protected] > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
