LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for October 16, 2008

LK2008: Embedded and Mobile Linux

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Trustix alert 2002-0070 (glibc)



From:
    	      tsl@trustix.com (Trustix Secure Linux Advisor)


To:
    	      tsl-announce@trustix.org


Subject:
    	      TSLSA-2002-0070-glibc


Date:
    	      Thu, 17 Oct 2002 13:12:14 +0200



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0070

Package name:      glibc
Summary:           Minor security fix
Date:              2002-10-17
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
  The glibc package contains standard libraries which are used by
  multiple programs on the system. In order to save disk space and
  memory, as well as to make upgrading easier, common system code is
  kept in one place and shared between programs. This particular package
  contains the most important sets of shared libraries: the standard C
  library and the standard math library. Without these two libraries, a
  Linux system will not function.  The glibc package also contains
  national language (locale) support and timezone databases.
  

Problem description:
  From CERT Advisory CA-2002-25 Integer Overflow In XDR Library

  There  is  an  integer  overflow  present  in the xdr_array() function
  distributed as part of the Sun Microsystems XDR library. This overflow
  has  been  shown  to  lead to remotely exploitable buffer overflows in
  multiple  applications,  leading  to  the execution of arbitrary code.
  Although  the  library was originally distributed by Sun Microsystems,
  multiple  vendors  have  included  the  vulnerable  code  in their own
  implementations.

  The vulnerable code is also present in the version of glibc which is shipped 
  with all versions of TSL, and we have applied a patch to fix it in this 
  update.

Action:
  We recommend that all systems with this package installed be upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus on
  security and stability, the system is painlessly kept safe and up to date 
  from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/> and
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0070-glibc.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
1fb74753da169ea2a43919ec634c44bb  ./1.5/SRPMS/glibc-2.1.3-21tr.src.rpm
2927b7fd0d954a8216558708a08d8a5f  ./1.5/RPMS/nscd-2.1.3-21tr.i586.rpm
77f84acfd5611d785a8bc10cd1259f95  ./1.5/RPMS/glibc-profile-2.1.3-21tr.i586.rpm
4f73fe1a991e0b45571164b887b7aedd  ./1.5/RPMS/glibc-devel-2.1.3-21tr.i586.rpm
6658d9c3160d87aac3e900cd7c4e6a03  ./1.5/RPMS/glibc-2.1.3-21tr.i586.rpm
1fb74753da169ea2a43919ec634c44bb  ./1.2/SRPMS/glibc-2.1.3-21tr.src.rpm
643e9e347409c766abb33a29423ffffa  ./1.2/RPMS/nscd-2.1.3-21tr.i586.rpm
a2674a73ca2be064bb03efe693b4b3c4  ./1.2/RPMS/glibc-profile-2.1.3-21tr.i586.rpm
011a8fe31c020d5bee3565ecf3387a32  ./1.2/RPMS/glibc-devel-2.1.3-21tr.i586.rpm
a23cfb84396982528d4e5b7e9526932b  ./1.2/RPMS/glibc-2.1.3-21tr.i586.rpm
1fb74753da169ea2a43919ec634c44bb  ./1.1/SRPMS/glibc-2.1.3-21tr.src.rpm
6fc2b4e79bd6df5bb9e6e235f36c7dca  ./1.1/RPMS/nscd-2.1.3-21tr.i586.rpm
4ceba04f415232643dd62579e33d4cfe  ./1.1/RPMS/glibc-profile-2.1.3-21tr.i586.rpm
ca98909650852e05bc0cb83034065f74  ./1.1/RPMS/glibc-devel-2.1.3-21tr.i586.rpm
834e5cd13d22bda077af37f266cd5e3f  ./1.1/RPMS/glibc-2.1.3-21tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9rnp7wRTcg4BxxS0RAvzVAJ98cf9+hT0VGJ7Fppx1xYCb7Fv5lgCdGsHO
yQZsA2WDZvcVmKMn2rsfzUA=
=nTsS
-----END PGP SIGNATURE-----

_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo.cgi/tsl-announce
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds