ubuntu-security-announce Digest, Vol 119, Issue 4

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2306-2] GNU C Library regression (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Tue, 05 Aug 2014 13:36:43 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2306-2] GNU C Library regression
Message-ID: <53E1162B.8080708@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2306-2
August 05, 2014

eglibc regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

USN-2306-1 introduced a regression in the GNU C Library.

Software Description:
- eglibc: GNU C Library

Details:

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the security update cause a regression in certain environments that use
the Name Service Caching Daemon (nscd), such as those configured for LDAP
or MySQL authentication. In these environments, the nscd daemon may need
to be stopped manually for name resolution to resume working so that
updates can be downloaded, including environments configured for unattended
updates.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)
It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)
Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)
David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
libc6 2.11.1-0ubuntu7.15

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2306-2
http://www.ubuntu.com/usn/usn-2306-1
https://launchpad.net/bugs/1352504

Package Information:
https://launchpad.net/ubuntu/+source/eglibc/2.11.1-0ubuntu7.15


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140805/3a46aacc/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 119, Issue 4
********************************************************