OracleVM 3.3 : glibc (OVMSA-2014-0033)

high Nessus Plugin ID 79548

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,

- Switch gettimeofday from INTUSE to libc_hidden_proto (#1099025).

- Fix stack overflow due to large AF_INET6 requests (CVE-2013-4458, #1111460).

- Fix buffer overflow in readdir_r (CVE-2013-4237, #1111460).

- Fix memory order when reading libgcc handle (#905941).

- Fix format specifier in malloc_info output (#1027261).

- Fix nscd lookup for innetgr when netgroup has wildcards (#1054846).

- Add mmap usage to malloc_info output (#1027261).

- Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (#1087833).

- [ppc] Add VDSO IFUNC for gettimeofday (#1028285).

- [ppc] Fix ftime gettimeofday internal call returning bogus data (#1099025).

- Also relocate in dependency order when doing symbol dependency testing (#1019916).

- Fix infinite loop in nscd when netgroup is empty (#1085273).

- Provide correct buffer length to netgroup queries in nscd (#1074342).

- Return NULL for wildcard values in getnetgrent from nscd (#1085289).

- Avoid overlapping addresses to stpcpy calls in nscd (#1082379).

- Initialize all of datahead structure in nscd (#1074353).

- Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (#1044628).

- Do not fail if one of the two responses to AF_UNSPEC fails (#845218).

- nscd: Make SELinux checks dynamic (#1025933).

- Fix race in free of fastbin chunk (#1027101).

- Fix copy relocations handling of unique objects (#1032628).

- Fix encoding name for IDN in getaddrinfo (#981942).

- Fix return code from getent netgroup when the netgroup is not found (#1039988).

- Fix handling of static TLS in dlopen'ed objects (#995972).

- Don't use alloca in addgetnetgrentX (#1043557).

- Adjust pointers to triplets in netgroup query data (#1043557).

Solution

Update the affected glibc / glibc-common / nscd packages.

See Also

http://www.nessus.org/u?bed5f80b

Plugin Details

Severity: High

ID: 79548

File Name: oraclevm_OVMSA-2014-0033.nasl

Version: 1.9

Type: local

Published: 11/26/2014

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/4/2014

Vulnerability Publication Date: 10/9/2013

Reference Information

CVE: CVE-2013-4237, CVE-2013-4458, CVE-2014-0475, CVE-2014-5119

BID: 61729, 63299, 68505, 68983, 69738