- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201011-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: GNU C library: Multiple vulnerabilities Date: November 15, 2010 Bugs: #285818, #325555, #330923, #335871, #341755 ID: 201011-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in glibc, the worst of which allowing local attackers to execute arbitrary code as root. Background ========== The GNU C library is the standard C library used by Gentoo Linux systems. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-libs/glibc < 2.11.2-r3 >= 2.11.2-r3 Description =========== Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LD_AUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Impact ====== A local attacker could execute arbitrary code as root, cause a Denial of Service, or gain privileges. Additionally, a user-assisted remote attacker could cause the execution of arbitrary code, and a context-dependent attacker could cause a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All GNU C library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.11.2-r3" References ========== [ 1 ] CVE-2009-4880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4880 [ 2 ] CVE-2009-4881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4881 [ 3 ] CVE-2010-0296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0296 [ 4 ] CVE-2010-0830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0830 [ 5 ] CVE-2010-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3847 [ 6 ] CVE-2010-3856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3856 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201011-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature