OracleVM 3.3 : glibc (OVMSA-2014-0033)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Remove gconv transliteration loadable modules support
(CVE-2014-5119, - _nl_find_locale: Improve handling of
crafted locale names (CVE-2014-0475,

- Switch gettimeofday from INTUSE to libc_hidden_proto
(#1099025).

- Fix stack overflow due to large AF_INET6 requests
(CVE-2013-4458, #1111460).

- Fix buffer overflow in readdir_r (CVE-2013-4237,
#1111460).

- Fix memory order when reading libgcc handle (#905941).

- Fix format specifier in malloc_info output (#1027261).

- Fix nscd lookup for innetgr when netgroup has wildcards
(#1054846).

- Add mmap usage to malloc_info output (#1027261).

- Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer
(#1087833).

- [ppc] Add VDSO IFUNC for gettimeofday (#1028285).

- [ppc] Fix ftime gettimeofday internal call returning
bogus data (#1099025).

- Also relocate in dependency order when doing symbol
dependency testing (#1019916).

- Fix infinite loop in nscd when netgroup is empty
(#1085273).

- Provide correct buffer length to netgroup queries in
nscd (#1074342).

- Return NULL for wildcard values in getnetgrent from nscd
(#1085289).

- Avoid overlapping addresses to stpcpy calls in nscd
(#1082379).

- Initialize all of datahead structure in nscd (#1074353).

- Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN
(#1044628).

- Do not fail if one of the two responses to AF_UNSPEC
fails (#845218).

- nscd: Make SELinux checks dynamic (#1025933).

- Fix race in free of fastbin chunk (#1027101).

- Fix copy relocations handling of unique objects
(#1032628).

- Fix encoding name for IDN in getaddrinfo (#981942).

- Fix return code from getent netgroup when the netgroup
is not found (#1039988).

- Fix handling of static TLS in dlopen'ed objects
(#995972).

- Don't use alloca in addgetnetgrentX (#1043557).

- Adjust pointers to triplets in netgroup query data
(#1043557).

See also :

http://www.nessus.org/u?bed5f80b

Solution :

Update the affected glibc / glibc-common / nscd packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79548 ()

Bugtraq ID: 61729
63299
68505
68983
69738

CVE ID: CVE-2013-4237
CVE-2013-4458
CVE-2014-0475
CVE-2014-5119

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now