[Full-Disclosure] GLSA: glibc (200303-22)

From: Daniel Ahlberg (aliz@gentoo.org)
Date: 03/25/03

  • Next message: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities" 
    From: Daniel Ahlberg <aliz@gentoo.org>
To: full-disclosure@lists.netsys.com
Date: Tue, 25 Mar 2003 09:50:10 +0100

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - ---------------------------------------------------------------------
    GENTOO LINUX SECURITY ANNOUNCEMENT 200303-22
    - - ---------------------------------------------------------------------

              PACKAGE : glibc
              SUMMARY : integer overflow
                 DATE : 2003-03-25 08:49 UTC
              EXPLOIT : remote
    VERSIONS AFFECTED : <2.3.1-r4 (arm: <2.2.5-r8)
        FIXED VERSION : >=2.3.1-r4 (arm: >=2.2.5-r8)
                  CVE : CAN-2003-0028

    - - ---------------------------------------------------------------------

    - From advisory:

    "The xdrmem_getbytes() function in the XDR library provided by
    Sun Microsystems contains an integer overflow. Depending on the
    location and use of the vulnerable xdrmem_getbytes() routine, various
    conditions may be presented that can permit an attacker to remotely
    exploit a service using this vulnerable routine."

    Read the full advisory at:
    http://www.eeye.com/html/Research/Advisories/AD20030318.html

    SOLUTION

    It is recommended that all Gentoo Linux users who are running
    sys-libs/glibc upgrade to
    glibc-2.3.1-r4 (arm: glibc-2.2.5-r8) as follows:

    emerge sync
    emerge glibc
    emerge clean

    - - ---------------------------------------------------------------------
    aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
    - - ---------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+gBg5fT7nyhUpoZMRAp8SAJ0WL/EFzgcNRD6QwXIwKp60DYkhqQCfcoYt
    +syEpAhdT1ab5c1DBZKMLwc=
    =suct
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] [RHSA-2003:088-01] New kernel 2.2 packages fix vulnerabilities"

    Relevant Pages

    • [Full-Disclosure] GLSA: dietlibc (200303-29)
      ... exploit a service using this vulnerable routine." ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge dietlibc ...
      (Full-Disclosure)
    • GLSA: dietlibc (200303-29)
      ... exploit a service using this vulnerable routine." ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge dietlibc ...
      (Bugtraq)
    • GLSA: glibc (200303-22)
      ... exploit a service using this vulnerable routine." ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge glibc ...
      (Bugtraq)
    • [Full-Disclosure] GLSA: netscape-flash (200303-9)
      ... GENTOO LINUX SECURITY ANNOUNCEMENT 200303-9 ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge netscape-flash ...
      (Full-Disclosure)
    • [Full-Disclosure] GLSA: man (200303-13)
      ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge sync ...
      (Full-Disclosure)