Rapid7 Vulnerability & Exploit Database

Oracle Linux: (CVE-2017-1213) ELSA-2018-0805: glibc security, bug fix, and enhancement update

Back to Search

Oracle Linux: (CVE-2017-1213) ELSA-2018-0805: glibc security, bug fix, and enhancement update

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
04/16/2018
Created
07/25/2018
Added
04/19/2018
Modified
01/22/2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From ELSA-2018-0805:

[2.17-222] - Restore internal GLIBC_PRIVATE symbols for use during upgrades (#1523119) [2.17-221] - CVE-2018-1000001: Fix realpath() buffer underflow (#1534635) - i386: Fix unwinding for 32-bit C++ application (#1529982) - Reduce thread and dynamic loader stack usage (#1527904) - x86-64: Use XSAVE/XSAVEC more often during lazy symbol binding (#1528418) [2.17-220] - Update HWCAP bits for IBM POWER9 DD2.1 (#1503854) [2.17-219] - Rebuild with newer gcc for aarch64 stack probing fixes (#1500475) [2.17-218] - Improve memcpy performance for POWER9 DD2.1 (#1498925) [2.17-217] - Update Linux system call list to kernel 4.13 (#1508895) [2.17-216] - x86-64: Use XSAVE/XSAVEC in the ld.so trampoline (#1504969) [2.17-215] - CVE-2017-15670: glob: Fix one-byte overflow with GLOB_TILDE (#1504809) - CVE-2017-15804: glob: Fix buffer overflow in GLOB_TILDE unescaping (#1504809) [2.17-214] - Fix check-localplt test failure. - Include ld.so in check-localplt test. (#1440250) [2.17-213] - Fix build warning in locarchive.c (#1349964) [2.17-212] - Hide reference to mktemp in libpthread (#1349962) [2.17-211] - Implement fopencookie hardening (#1372305) [2.17-210] - x86-64: Support __tls_get_addr with an unaligned stack (#1468807) [2.17-209] - Define CLOCK_TAI in(#1448822)[2.17-208]- Compile glibc with -fstack-clash-protection (#1500475)[2.17-207]- aarch64: Avoid invalid relocations in the startup code (#1500908)[2.17-206]- Fix timezone test failures on large parallel builds. (#1234449, #1378329)[2.17-205]- Handle DSOs with no PLT (#1445781)[2.17-204]- libio: Implement vtable verification (#1398413)[2.17-203]- Fix socket system call selection on s390x (#1498566).- Use different construct for protected visibility in IFUNC tests (#1445644)[2.17-202]- Rebase the DNS stub resolver and getaddrinfo to the glibc 2.26 version- Support an arbitrary number of search domains in the stub resolver (#677316)- Detect and apply /etc/resolv.conf changes in libresolv (#1432085)- CVE-2017-1213: Fragmentation attacks possible when ENDS0 is enabled (#1487063)- CVE-2016-3706: Stack (frame) overflow in getaddrinfo when called with AF_INET, AF_INET6 (#1329674)- CVE-2015-5180: resolv: Fix crash with internal QTYPE (#1497131)- CVE-2014-9402: denial of service in getnetbyname function (#1497132)- Fix getaddrinfo to handle certain long lines in /etc/hosts (#1452034)- Make RES_ROTATE start with a random name server (#1257639)- Stricter IPv6 address parser (#1484034)- Remove noip6dotint support from the stub resolver (#1482988)- Remove partial bitstring label support from the stub resolver- Remove unsupported resolver hook functions from the API- Remove outdated RR type classification macros from the API- hesiod: Always use TLS resolver state- hesiod: Avoid non-trust-boundary crossing heap overflow in get_txt_records[2.17.201]- Fix hang in nscd cache prune thread (#1435615)[2.17-200]- Add binary timezone test data files (#1234449, #1378329)[2.17.198]- Add support for new IBM z14 (s390x) instructions (#1375235)[2.17-197]- Fix compile warnings in malloc (#1347277)- Fix occasional tst-malloc-usable failures (#1348000)- Additional chunk hardening in malloc (#1447556)- Pointer alignment fix in nss group merge (#1463692)- Fix SIGSEGV when LD_LIBRARY_PATH only has non-existing paths (#1443236)

Solution(s)

  • oracle-linux-upgrade-glibc
  • oracle-linux-upgrade-glibc-common
  • oracle-linux-upgrade-glibc-devel
  • oracle-linux-upgrade-glibc-headers
  • oracle-linux-upgrade-glibc-static
  • oracle-linux-upgrade-glibc-utils
  • oracle-linux-upgrade-nscd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;