Scientific Linux Security Update : glibc on SL5.x i386/x86_64

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

It was found that getaddrinfo() did not limit the amount of stack
memory used during name resolution. An attacker able to make an
application resolve an attacker-controlled hostname or IP address
could possibly cause the application to exhaust all stack memory and
crash. (CVE-2013-1914)

A flaw was found in the regular expression matching routines that
process multibyte character input. If an application utilized the
glibc regular expression matching mechanism, an attacker could provide
specially crafted input that, when processed, would cause the
application to crash. (CVE-2013-0242)

This update also fixes the following bugs :

- The improvements made in a previous update to the
accuracy of floating point functions in the math library
caused performance regressions for those functions. The
performance regressions were analyzed and a fix was
applied that retains the current accuracy but reduces
the performance penalty to acceptable levels.

- It was possible that a memory location freed by the
localization code could be accessed immediately after,
resulting in a crash. The fix ensures that the
application does not crash by avoiding the invalid
memory access.

See also :

http://www.nessus.org/u?ad5066e7

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 66227 ()

Bugtraq ID:

CVE ID: CVE-2013-0242
CVE-2013-1914