Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: glibc (200303-22)
Date: Tue, 25 Mar 2003 09:19:52
Message-Id: 20030325084905.194245761@mail2.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200303-22
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : glibc
9 SUMMARY : integer overflow
10 DATE : 2003-03-25 08:49 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <2.3.1-r4 (arm: <2.2.5-r8)
13 FIXED VERSION : >=2.3.1-r4 (arm: >=2.2.5-r8)
14 CVE : CAN-2003-0028
15
16 - - ---------------------------------------------------------------------
17
18 - From advisory:
19
20 "The xdrmem_getbytes() function in the XDR library provided by
21 Sun Microsystems contains an integer overflow. Depending on the
22 location and use of the vulnerable xdrmem_getbytes() routine, various
23 conditions may be presented that can permit an attacker to remotely
24 exploit a service using this vulnerable routine."
25
26 Read the full advisory at:
27 http://www.eeye.com/html/Research/Advisories/AD20030318.html
28
29 SOLUTION
30
31 It is recommended that all Gentoo Linux users who are running
32 sys-libs/glibc upgrade to
33 glibc-2.3.1-r4 (arm: glibc-2.2.5-r8) as follows:
34
35 emerge sync
36 emerge glibc
37 emerge clean
38
39 - - ---------------------------------------------------------------------
40 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
41 - - ---------------------------------------------------------------------
42 -----BEGIN PGP SIGNATURE-----
43 Version: GnuPG v1.2.1 (GNU/Linux)
44
45 iD8DBQE+gBg5fT7nyhUpoZMRAp8SAJ0WL/EFzgcNRD6QwXIwKp60DYkhqQCfcoYt
46 +syEpAhdT1ab5c1DBZKMLwc=
47 =suct
48 -----END PGP SIGNATURE-----