[security-announce] glibc: Security update

Adrian Dudau Adrian.Dudau at enea.com
Mon Mar 23 10:08:19 CET 2015


Enea Linux Security Advisory
=========================================================
Product/package: glibc 2.20
Severity: Low
CVE Name: CVE-2014-9402
=========================================================
A security that patch fixes a denial of service vulnerability in
getnetbyname function is now available at
http://linux.enea.com/5.0-beta-m400/patches<http://linux.enea.com/5.0-beta-m400/patches:>

README file: 0010-glibc-CVE-2014-9402-endless-loop-in-getaddr_r.patch
Patch file: 0010-glibc-CVE-2014-9402-endless-loop-in-getaddr_r.patch

Description
===========
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc)
before 2.21, when the DNS backend in the Name Service Switch
configuration is enabled, allows remote attackers to cause a denial of
service (infinite loop) by sending a positive answer while a network
name is being process.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402

How to apply the patches
=======================
- Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

- Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0010-glibc-CVE-2014-9402-endless-loop-in-getaddr_r.patch
patch -p1 < ./0010-glibc-CVE-2014-9402-endless-loop-in-getaddr_r.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
www.enea.com<http://www.enea.com>

This message, including attachments, is CONFIDENTIAL. It may also be
privileged or otherwise protected by law. If you received this email
by mistake please let us know by reply and then delete it from your
system; you should not copy it or disclose its contents to anyone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20150323/0a4e6869/attachment.html>


More information about the security-announce mailing list