Rapid7 Vulnerability & Exploit Database

RHSA-2002:139: Updated glibc packages fix vulnerabilities in resolver

Back to Search

RHSA-2002:139: Updated glibc packages fix vulnerabilities in resolver

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
08/12/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated glibc packages are available to fix two vulnerabilities in the resolver functions.

The glibc package contains standard libraries which are used by multiple programs on the system. A buffer overflow vulnerability has been found in the way the glibc resolver handles the resolution of network names and addresses via DNS (as per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are affected. A system would be vulnerable to this issue if the "networks" database in /etc/nsswitch.conf includes the "dns" entry. By default, Red Hat Linux ships with "networks" set to "files" and is therefore not vulnerable to this issue. (CAN-2002-0684) A second, related, issue is a bug in the glibc-compat packages, which provide compatibility for applications compiled against glibc version 2.0.x. Applications compiled against this version (such as those distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also be vulnerable to this issue. (CAN-2002-0651) These errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium architecture also include a fix for the strncpy implementation in some boundary cases. All users should upgrade to these errata packages which contain patches to the glibc and glibc-compat libraries and therefore are not vulnerable to these issues.

Solution(s)

  • redhat-upgrade-glibc
  • redhat-upgrade-glibc-common
  • redhat-upgrade-glibc-debug
  • redhat-upgrade-glibc-debug-static
  • redhat-upgrade-glibc-devel
  • redhat-upgrade-glibc-profile
  • redhat-upgrade-glibc-utils
  • redhat-upgrade-nscd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;