Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
Test ID: | 1.3.6.1.4.1.25623.1.0.871555 |
Category: | Red Hat Local Security Checks |
Title: | RedHat Update for glibc RHSA-2016:0176-01 |
Summary: | The remote host is missing an update for the 'glibc'; package(s) announced via the referenced advisory. |
Description: | Summary: The remote host is missing an update for the 'glibc' package(s) announced via the referenced advisory. Vulnerability Insight: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547) It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229) The CVE-2015-7547 issue was discovered by the Google Security Team and Red Hat. Red Hat would like to thank Jeff Layton for reporting the CVE-2015-5229 issue. This update also fixes the following bugs: * The existing implementation of the 'free' function causes all memory pools beyond the first to return freed memory directly to the operating system as quickly as possible. This can result in performance degradation when the rate of free calls is very high. The first memory pool (the main pool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD, but this method is not available to subsequent memory pools. With this update, the M_TRIM_THRESHOLD method is extended to apply to all memory pools, which improves performance for threads with very high amounts of free calls and limits the number of 'madvise' system calls. The change also increases the total transient memory usage by processes because the trim threshold must be reached before memory can be freed. To return to the previous behavior, you can either set M_TRIM_THRESHOLD using the 'mallopt' function, or set the MALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930) * On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug in the dynamic loader could cause applications compiled with profiling enabled to fail to start with the error 'monstartup: out of memory'. The bug has been corrected and applications compiled for profiling now start correctly. (BZ#1298956) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Affected Software/OS: glibc on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P |
Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-5229 BugTraq ID: 84172 http://www.securityfocus.com/bid/84172 RedHat Security Advisories: RHSA-2016:0176 http://rhn.redhat.com/errata/RHSA-2016-0176.html Common Vulnerability Exposure (CVE) ID: CVE-2015-7547 BugTraq ID: 83265 http://www.securityfocus.com/bid/83265 Bugtraq: 20190904 SEC Consult SA-20190904-0 :: Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X (Google Search) https://seclists.org/bugtraq/2019/Sep/7 CERT/CC vulnerability note: VU#457759 https://www.kb.cert.org/vuls/id/457759 Debian Security Information: DSA-3480 (Google Search) http://www.debian.org/security/2016/dsa-3480 Debian Security Information: DSA-3481 (Google Search) http://www.debian.org/security/2016/dsa-3481 https://www.exploit-db.com/exploits/39454/ https://www.exploit-db.com/exploits/40339/ http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177412.html http://seclists.org/fulldisclosure/2019/Sep/7 http://seclists.org/fulldisclosure/2021/Sep/0 https://security.gentoo.org/glsa/201602-02 HPdes Security Advisory: HPSBGN03442 http://marc.info/?l=bugtraq&m=145690841819314&w=2 HPdes Security Advisory: HPSBGN03547 http://marc.info/?l=bugtraq&m=145596041017029&w=2 HPdes Security Advisory: HPSBGN03549 http://marc.info/?l=bugtraq&m=145672440608228&w=2 HPdes Security Advisory: HPSBGN03551 http://marc.info/?l=bugtraq&m=145857691004892&w=2 HPdes Security Advisory: HPSBGN03582 http://marc.info/?l=bugtraq&m=146161017210491&w=2 http://packetstormsecurity.com/files/135802/glibc-getaddrinfo-Stack-Based-Buffer-Overflow.html http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html http://packetstormsecurity.com/files/164014/Moxa-Command-Injection-Cross-Site-Scripting-Vulnerable-Software.html https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://ics-cert.us-cert.gov/advisories/ICSA-16-103-01 https://www.tenable.com/security/research/tra-2017-08 https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html RedHat Security Advisories: RHSA-2016:0175 http://rhn.redhat.com/errata/RHSA-2016-0175.html RedHat Security Advisories: RHSA-2016:0225 http://rhn.redhat.com/errata/RHSA-2016-0225.html RedHat Security Advisories: RHSA-2016:0277 http://rhn.redhat.com/errata/RHSA-2016-0277.html http://www.securitytracker.com/id/1035020 SuSE Security Announcement: SUSE-SU-2016:0470 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html SuSE Security Announcement: SUSE-SU-2016:0471 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html SuSE Security Announcement: SUSE-SU-2016:0472 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html SuSE Security Announcement: SUSE-SU-2016:0473 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html SuSE Security Announcement: openSUSE-SU-2016:0510 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html SuSE Security Announcement: openSUSE-SU-2016:0511 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00043.html SuSE Security Announcement: openSUSE-SU-2016:0512 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html http://ubuntu.com/usn/usn-2900-1 |
Copyright | Copyright (C) 2016 Greenbone Networks GmbH |
This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |