Conectiva Local Security Checks : Conectiva Security Advisory CLA-2003:762

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.51470

Categoría: Conectiva Local Security Checks

Título: Conectiva Security Advisory CLA-2003:762

Resumen: NOSUMMARY

Descripción: Description:

The remote host is missing updates announced in
advisory CLA-2003:762.

The GNU C Library (glibc)[1] is the standard library used by almost
any program in a common GNU/Linux system.

This glibc update includes the fix for a local vulnerability and new
timezone maps adjusted for the brazilian daylight saving time
2003/2004 schedule:

- Local vulnerability in the getgrouplist() function.
There is a buffer overflow in the getgrouplist() which can be
triggered when an user belongs to a number of groups larger than the
one expected by the application. The consequences of the exploitation
of this vulnerability vary accordingly to the application being
exploited and the scenario where it is running. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CVE-2003-0689 to this issue[2].

- Brazilian daylight saving time (summer time) update.
On September 24th, 2003 the dates when daylight saving time will
begin and end have finally been published[3] (less than 30 days of
advance notice). These dates have been inserted in the zoneinfo data
of glibc. Historically the dates on which the daylight saving time
starts and ends have always been chosen from year to year and are
seldom the same.

The packages for Conectiva Linux 9 include the latest stable version
of glibc (2.3.2), which includes several bugfixes and enhancements
when compared to the originally distributed version (2.3.1). The
details of these changes can be obtained in the project page[4].

Conectiva Linux 7.0 is not subject to the getgroupslist()
vulnerability and will have a separate update for the daylight saving
time issue available in our updates page[5].

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.gnu.org/software/libc/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0689
http://www.gnu.org/software/libc/#CurrentStatus
http://distro.conectiva.com.br/atualizacoes/index.php?id=d&distro=000014
https://secure1.securityspace.com/smysecure/catid.html?in=CLA-2003:762
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High

CVSS Score:
7.5

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2003-0689
http://www.redhat.com/support/errata/RHSA-2003-249.html
http://www.redhat.com/support/errata/RHSA-2003-325.html

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.51470
Categoría:	Conectiva Local Security Checks
Título:	Conectiva Security Advisory CLA-2003:762
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing updates announced in advisory CLA-2003:762. The GNU C Library (glibc)[1] is the standard library used by almost any program in a common GNU/Linux system. This glibc update includes the fix for a local vulnerability and new timezone maps adjusted for the brazilian daylight saving time 2003/2004 schedule: - Local vulnerability in the getgrouplist() function. There is a buffer overflow in the getgrouplist() which can be triggered when an user belongs to a number of groups larger than the one expected by the application. The consequences of the exploitation of this vulnerability vary accordingly to the application being exploited and the scenario where it is running. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0689 to this issue[2]. - Brazilian daylight saving time (summer time) update. On September 24th, 2003 the dates when daylight saving time will begin and end have finally been published[3] (less than 30 days of advance notice). These dates have been inserted in the zoneinfo data of glibc. Historically the dates on which the daylight saving time starts and ends have always been chosen from year to year and are seldom the same. The packages for Conectiva Linux 9 include the latest stable version of glibc (2.3.2), which includes several bugfixes and enhancements when compared to the originally distributed version (2.3.1). The details of these changes can be obtained in the project page[4]. Conectiva Linux 7.0 is not subject to the getgroupslist() vulnerability and will have a separate update for the daylight saving time issue available in our updates page[5]. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.gnu.org/software/libc/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0689 http://www.gnu.org/software/libc/#CurrentStatus http://distro.conectiva.com.br/atualizacoes/index.php?id=d&distro=000014 https://secure1.securityspace.com/smysecure/catid.html?in=CLA-2003:762 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.5
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2003-0689 http://www.redhat.com/support/errata/RHSA-2003-249.html http://www.redhat.com/support/errata/RHSA-2003-325.html
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com