Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
332 vulnerabilities found for glibc by gnu
CVE-2026-5928 (GCVE-0-2026-5928)
Vulnerability from nvd – Published: 2026-04-20 20:37 – Updated: 2026-04-21 19:49- CWE-127 - Buffer under-read
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.1.1-89 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5928",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:10:57.731635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:49:59.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.1.1-89",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\u003cbr\u003e\u003cbr\u003eA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u0026gt;_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u0026gt;_wide_data-\u0026gt;_IO_read_ptr). The program crash may happen in cases where fp-\u0026gt;_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
}
],
"value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u003e_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u003e_wide_data-\u003e_IO_read_ptr). The program crash may happen in cases where fp-\u003e_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
},
{
"capecId": "CAPEC-267",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-267 Leverage Alternate Encoding"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-127",
"description": "CWE-127 Buffer under-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T20:37:31.743Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Static buffer overflow in deprecated nis_local_principal",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-5928",
"datePublished": "2026-04-20T20:37:31.743Z",
"dateReserved": "2026-04-08T22:47:29.814Z",
"dateUpdated": "2026-04-21T19:49:59.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5450 (GCVE-0-2026-5450)
Vulnerability from nvd – Published: 2026-04-20 20:55 – Updated: 2026-04-21 19:49- CWE-122 - Heap-based buffer overflow
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.7 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5450",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:11:50.875542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:49:53.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "2.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"datePublic": "2026-03-19T17:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling the scanf family of functions with a %mc (malloc\u0027d character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."
}
],
"value": "Calling the scanf family of functions with a %mc (malloc\u0027d character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T20:55:41.170Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"
},
{
"tags": [
"mailing-list"
],
"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "scanf %mc off-by-one heap buffer overflow",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-5450",
"datePublished": "2026-04-20T20:55:41.170Z",
"dateReserved": "2026-04-02T21:47:21.403Z",
"dateUpdated": "2026-04-21T19:49:53.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4046 (GCVE-0-2026-4046)
Vulnerability from nvd – Published: 2026-03-30 17:16 – Updated: 2026-04-20 21:02- CWE-617 - Reachable assertion
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.3.3 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4046",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T17:33:59.227677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T17:35:48.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.3.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"datePublic": "2026-03-12T09:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\u003cbr\u003e\n\u003cbr\u003eThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.\n\u003cbr\u003e"
}
],
"value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T21:02:31.443Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33980"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"
},
{
"tags": [
"mailing-list"
],
"url": "https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "iconv crash due to assertion failure with untrusted input",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4046",
"datePublished": "2026-03-30T17:16:11.021Z",
"dateReserved": "2026-03-12T10:12:32.994Z",
"dateUpdated": "2026-04-20T21:02:31.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4438 (GCVE-0-2026-4438)
Vulnerability from nvd – Published: 2026-03-20 19:59 – Updated: 2026-03-23 15:06- CWE-20 - Improper input validation
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.34 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:06:13.636418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:06:16.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me"
}
],
"datePublic": "2026-03-20T22:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.\u003c/div\u003e"
}
],
"value": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T19:59:06.064Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4438",
"datePublished": "2026-03-20T19:59:06.064Z",
"dateReserved": "2026-03-19T19:55:44.639Z",
"dateUpdated": "2026-03-23T15:06:16.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4437 (GCVE-0-2026-4437)
Vulnerability from nvd – Published: 2026-03-20 19:59 – Updated: 2026-03-23 15:13- CWE-125 - Out-of-bounds read
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.34 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:10:34.650805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:13:56.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me"
},
{
"lang": "en",
"type": "reporter",
"value": "Kevin Farrell"
}
],
"datePublic": "2026-03-20T22:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T19:59:00.427Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34014"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4437",
"datePublished": "2026-03-20T19:59:00.427Z",
"dateReserved": "2026-03-19T19:55:42.906Z",
"dateUpdated": "2026-03-23T15:13:56.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3904 (GCVE-0-2026-3904)
Vulnerability from nvd – Published: 2026-03-11 13:19 – Updated: 2026-03-11 15:56- CWE-366 - Race condition within a thread
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.35 , < 2.37
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-11T15:16:39.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/11/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:56:03.349329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:56:23.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"x86"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "2.37",
"status": "affected",
"version": "2.35",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling NSS-backed functions that support caching via nscd may call the \nnscd client side code and in the GNU C Library version 2.36 under high \nload on x86_64 systems, the client may call memcmp on inputs that are \nconcurrently modified by other processes or threads and crash.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe nscd client in the GNU C Library uses the memcmp function with \ninputs that may be concurrently modified by another thread, potentially \nresulting in spurious cache misses, which in itself is not a security \nissue.\u0026nbsp; However in the GNU C Library version 2.36 an optimized \nimplementation of memcmp was introduced for x86_64 which could crash \nwhen invoked with such undefined behaviour, turning this into a \npotential crash of the nscd client and the application that uses it. \nThis implementation was backported to the 2.35 branch, making the nscd \nclient in that branch vulnerable as well.\u0026nbsp; Subsequently, the fix for \nthis issue was backported to all vulnerable branches in the GNU C \nLibrary repository.\u003cbr\u003e\n\u003cbr\u003eIt is advised that distributions that may have cherry-picked the memcpy \nSSE2 optimization in their copy of the GNU C Library, also apply the fix \nto avoid the potential crash in the nscd client.\u003c/div\u003e"
}
],
"value": "Calling NSS-backed functions that support caching via nscd may call the \nnscd client side code and in the GNU C Library version 2.36 under high \nload on x86_64 systems, the client may call memcmp on inputs that are \nconcurrently modified by other processes or threads and crash.\n\n\n\n\nThe nscd client in the GNU C Library uses the memcmp function with \ninputs that may be concurrently modified by another thread, potentially \nresulting in spurious cache misses, which in itself is not a security \nissue.\u00a0 However in the GNU C Library version 2.36 an optimized \nimplementation of memcmp was introduced for x86_64 which could crash \nwhen invoked with such undefined behaviour, turning this into a \npotential crash of the nscd client and the application that uses it. \nThis implementation was backported to the 2.35 branch, making the nscd \nclient in that branch vulnerable as well.\u00a0 Subsequently, the fix for \nthis issue was backported to all vulnerable branches in the GNU C \nLibrary repository.\n\n\nIt is advised that distributions that may have cherry-picked the memcpy \nSSE2 optimization in their copy of the GNU C Library, also apply the fix \nto avoid the potential crash in the nscd client."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "CWE-366 Race condition within a thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:19:09.741Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0004;hb=HEAD"
},
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29863"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=8804157ad9da39631703b92315460808eac86b0c"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=b712be52645282c706a5faa038242504feb06db5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-3904",
"datePublished": "2026-03-11T13:19:09.741Z",
"dateReserved": "2026-03-10T19:52:49.054Z",
"dateUpdated": "2026-03-11T15:56:23.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15281 (GCVE-0-2025-15281)
Vulnerability from nvd – Published: 2026-01-20 13:22 – Updated: 2026-01-22 19:21- CWE-908 - Use of Uninitialized Resource
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.0 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-20T17:08:42.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/20/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T19:21:34.491759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T19:21:38.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vitaly Simonovich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.\u003c/div\u003e"
}
],
"value": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T13:22:46.495Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33814"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-15281",
"datePublished": "2026-01-20T13:22:46.495Z",
"dateReserved": "2025-12-29T20:07:29.736Z",
"dateUpdated": "2026-01-22T19:21:38.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0915 (GCVE-0-2026-0915)
Vulnerability from nvd – Published: 2026-01-15 22:08 – Updated: 2026-01-20 16:03- CWE-908 - Use of Uninitialized Resource
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.0 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-16T17:06:43.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/16/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0915",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:03:19.464174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:03:52.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Morgenstern, Aisle Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver."
}
],
"value": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver."
}
],
"impacts": [
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T22:08:41.630Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-0915",
"datePublished": "2026-01-15T22:08:41.630Z",
"dateReserved": "2026-01-13T19:02:42.388Z",
"dateUpdated": "2026-01-20T16:03:52.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0861 (GCVE-0-2026-0861)
Vulnerability from nvd – Published: 2026-01-14 21:01 – Updated: 2026-01-16 17:06- CWE-190 - Integer Overflow or Wraparound
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.30 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0861",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T21:24:01.342438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T21:25:55.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-16T17:06:42.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/16/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Morgenstern, Aisle Research"
}
],
"datePublic": "2026-01-14T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\u003cbr\u003e\u003cbr\u003eNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u0026lt;\u0026lt;62+ 1, 1\u0026lt;\u0026lt;63] and exactly 1\u0026lt;\u0026lt;63 for posix_memalign and aligned_alloc.\u003cbr\u003e\u003cbr\u003eTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments."
}
],
"value": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:37:33.544Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33796"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer overflow in memalign leads to heap corruption",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-0861",
"datePublished": "2026-01-14T21:01:11.037Z",
"dateReserved": "2026-01-12T14:35:11.285Z",
"dateUpdated": "2026-01-16T17:06:42.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5745 (GCVE-0-2025-5745)
Vulnerability from nvd – Published: 2025-06-05 19:20 – Updated: 2025-06-05 20:13- CWE-665 - Improper Initialization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.40
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T20:11:39.550335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T20:13:51.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Power10"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"status": "affected",
"version": "2.40",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-05T02:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"value": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T19:20:57.253Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33060"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the \u003ccode\u003eglibc.cpu.hwcaps\u003c/code\u003e tunable. This can be done by exporting the \u003ccode\u003eGLIBC_TUNABLES\u003c/code\u003e environment variable like so:\u003cbr\u003e\u003cbr\u003e\n\n\u003ccode\u003e\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1\u003c/code\u003e"
}
],
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the glibc.cpu.hwcaps tunable. This can be done by exporting the GLIBC_TUNABLES environment variable like so:\n\n\n\n\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-5745",
"datePublished": "2025-06-05T19:20:23.405Z",
"dateReserved": "2025-06-05T19:15:09.234Z",
"dateUpdated": "2025-06-05T20:13:51.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5702 (GCVE-0-2025-5702)
Vulnerability from nvd – Published: 2025-06-05 18:23 – Updated: 2025-06-05 20:21- CWE-665 - Improper Initialization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.39
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T20:17:18.849567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T20:21:44.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Power10"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"status": "affected",
"version": "2.39",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-05T02:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"value": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T18:23:57.872Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33056"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the \u003ccode\u003eglibc.cpu.hwcaps\u003c/code\u003e tunable. This can be done by exporting the \u003ccode\u003eGLIBC_TUNABLES\u003c/code\u003e environment variable like so:\u003cbr\u003e\u003cbr\u003e\n\n\u003ccode\u003e\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1\u003c/code\u003e"
}
],
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the glibc.cpu.hwcaps tunable. This can be done by exporting the GLIBC_TUNABLES environment variable like so:\n\n\n\n\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-5702",
"datePublished": "2025-06-05T18:23:57.872Z",
"dateReserved": "2025-06-04T21:57:13.818Z",
"dateUpdated": "2025-06-05T20:21:44.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4802 (GCVE-0-2025-4802)
Vulnerability from nvd – Published: 2025-05-16 19:32 – Updated: 2026-02-26 18:28- CWE-426 - Untrusted Search Path
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.27 , < 2.39
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:04:41.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/16/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/17/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-26T03:55:54.573371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:07.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "2.39",
"status": "affected",
"version": "2.27",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-05-16T19:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
}
],
"value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
}
],
"impacts": [
{
"capecId": "CAPEC-13",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-13 Subverting Environment Variable Values"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T19:32:50.586Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e"
},
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32976"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-4802",
"datePublished": "2025-05-16T19:32:50.586Z",
"dateReserved": "2025-05-15T21:32:45.284Z",
"dateUpdated": "2026-02-26T18:28:07.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5450 (GCVE-0-2026-5450)
Vulnerability from cvelistv5 – Published: 2026-04-20 20:55 – Updated: 2026-04-21 19:49- CWE-122 - Heap-based buffer overflow
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.7 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5450",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:11:50.875542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:49:53.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "2.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"datePublic": "2026-03-19T17:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling the scanf family of functions with a %mc (malloc\u0027d character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."
}
],
"value": "Calling the scanf family of functions with a %mc (malloc\u0027d character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T20:55:41.170Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"
},
{
"tags": [
"mailing-list"
],
"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "scanf %mc off-by-one heap buffer overflow",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-5450",
"datePublished": "2026-04-20T20:55:41.170Z",
"dateReserved": "2026-04-02T21:47:21.403Z",
"dateUpdated": "2026-04-21T19:49:53.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5928 (GCVE-0-2026-5928)
Vulnerability from cvelistv5 – Published: 2026-04-20 20:37 – Updated: 2026-04-21 19:49- CWE-127 - Buffer under-read
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.1.1-89 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5928",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:10:57.731635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:49:59.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.1.1-89",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\u003cbr\u003e\u003cbr\u003eA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u0026gt;_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u0026gt;_wide_data-\u0026gt;_IO_read_ptr). The program crash may happen in cases where fp-\u0026gt;_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
}
],
"value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u003e_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u003e_wide_data-\u003e_IO_read_ptr). The program crash may happen in cases where fp-\u003e_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
},
{
"capecId": "CAPEC-267",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-267 Leverage Alternate Encoding"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-127",
"description": "CWE-127 Buffer under-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T20:37:31.743Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Static buffer overflow in deprecated nis_local_principal",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-5928",
"datePublished": "2026-04-20T20:37:31.743Z",
"dateReserved": "2026-04-08T22:47:29.814Z",
"dateUpdated": "2026-04-21T19:49:59.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4046 (GCVE-0-2026-4046)
Vulnerability from cvelistv5 – Published: 2026-03-30 17:16 – Updated: 2026-04-20 21:02- CWE-617 - Reachable assertion
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.3.3 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4046",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T17:33:59.227677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T17:35:48.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.3.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rocket Ma"
}
],
"datePublic": "2026-03-12T09:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\u003cbr\u003e\n\u003cbr\u003eThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.\n\u003cbr\u003e"
}
],
"value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T21:02:31.443Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33980"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"
},
{
"tags": [
"mailing-list"
],
"url": "https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "iconv crash due to assertion failure with untrusted input",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4046",
"datePublished": "2026-03-30T17:16:11.021Z",
"dateReserved": "2026-03-12T10:12:32.994Z",
"dateUpdated": "2026-04-20T21:02:31.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4438 (GCVE-0-2026-4438)
Vulnerability from cvelistv5 – Published: 2026-03-20 19:59 – Updated: 2026-03-23 15:06- CWE-20 - Improper input validation
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.34 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:06:13.636418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:06:16.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me"
}
],
"datePublic": "2026-03-20T22:17:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.\u003c/div\u003e"
}
],
"value": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T19:59:06.064Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34015"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4438",
"datePublished": "2026-03-20T19:59:06.064Z",
"dateReserved": "2026-03-19T19:55:44.639Z",
"dateUpdated": "2026-03-23T15:06:16.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4437 (GCVE-0-2026-4437)
Vulnerability from cvelistv5 – Published: 2026-03-20 19:59 – Updated: 2026-03-23 15:13- CWE-125 - Out-of-bounds read
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.34 , ≤ 2.43
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:10:34.650805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:13:56.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.43",
"status": "affected",
"version": "2.34",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me"
},
{
"lang": "en",
"type": "reporter",
"value": "Kevin Farrell"
}
],
"datePublic": "2026-03-20T22:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer."
}
],
"impacts": [
{
"capecId": "CAPEC-142",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-142 DNS Cache Poisoning"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T19:59:00.427Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34014"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-4437",
"datePublished": "2026-03-20T19:59:00.427Z",
"dateReserved": "2026-03-19T19:55:42.906Z",
"dateUpdated": "2026-03-23T15:13:56.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3904 (GCVE-0-2026-3904)
Vulnerability from cvelistv5 – Published: 2026-03-11 13:19 – Updated: 2026-03-11 15:56- CWE-366 - Race condition within a thread
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.35 , < 2.37
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-11T15:16:39.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/11/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:56:03.349329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:56:23.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"x86"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "2.37",
"status": "affected",
"version": "2.35",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling NSS-backed functions that support caching via nscd may call the \nnscd client side code and in the GNU C Library version 2.36 under high \nload on x86_64 systems, the client may call memcmp on inputs that are \nconcurrently modified by other processes or threads and crash.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe nscd client in the GNU C Library uses the memcmp function with \ninputs that may be concurrently modified by another thread, potentially \nresulting in spurious cache misses, which in itself is not a security \nissue.\u0026nbsp; However in the GNU C Library version 2.36 an optimized \nimplementation of memcmp was introduced for x86_64 which could crash \nwhen invoked with such undefined behaviour, turning this into a \npotential crash of the nscd client and the application that uses it. \nThis implementation was backported to the 2.35 branch, making the nscd \nclient in that branch vulnerable as well.\u0026nbsp; Subsequently, the fix for \nthis issue was backported to all vulnerable branches in the GNU C \nLibrary repository.\u003cbr\u003e\n\u003cbr\u003eIt is advised that distributions that may have cherry-picked the memcpy \nSSE2 optimization in their copy of the GNU C Library, also apply the fix \nto avoid the potential crash in the nscd client.\u003c/div\u003e"
}
],
"value": "Calling NSS-backed functions that support caching via nscd may call the \nnscd client side code and in the GNU C Library version 2.36 under high \nload on x86_64 systems, the client may call memcmp on inputs that are \nconcurrently modified by other processes or threads and crash.\n\n\n\n\nThe nscd client in the GNU C Library uses the memcmp function with \ninputs that may be concurrently modified by another thread, potentially \nresulting in spurious cache misses, which in itself is not a security \nissue.\u00a0 However in the GNU C Library version 2.36 an optimized \nimplementation of memcmp was introduced for x86_64 which could crash \nwhen invoked with such undefined behaviour, turning this into a \npotential crash of the nscd client and the application that uses it. \nThis implementation was backported to the 2.35 branch, making the nscd \nclient in that branch vulnerable as well.\u00a0 Subsequently, the fix for \nthis issue was backported to all vulnerable branches in the GNU C \nLibrary repository.\n\n\nIt is advised that distributions that may have cherry-picked the memcpy \nSSE2 optimization in their copy of the GNU C Library, also apply the fix \nto avoid the potential crash in the nscd client."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-366",
"description": "CWE-366 Race condition within a thread",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:19:09.741Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0004;hb=HEAD"
},
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29863"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=8804157ad9da39631703b92315460808eac86b0c"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=b712be52645282c706a5faa038242504feb06db5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-3904",
"datePublished": "2026-03-11T13:19:09.741Z",
"dateReserved": "2026-03-10T19:52:49.054Z",
"dateUpdated": "2026-03-11T15:56:23.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15281 (GCVE-0-2025-15281)
Vulnerability from cvelistv5 – Published: 2026-01-20 13:22 – Updated: 2026-01-22 19:21- CWE-908 - Use of Uninitialized Resource
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.0 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-20T17:08:42.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/20/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T19:21:34.491759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T19:21:38.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vitaly Simonovich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCalling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.\u003c/div\u003e"
}
],
"value": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T13:22:46.495Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33814"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-15281",
"datePublished": "2026-01-20T13:22:46.495Z",
"dateReserved": "2025-12-29T20:07:29.736Z",
"dateUpdated": "2026-01-22T19:21:38.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0915 (GCVE-0-2026-0915)
Vulnerability from cvelistv5 – Published: 2026-01-15 22:08 – Updated: 2026-01-20 16:03- CWE-908 - Use of Uninitialized Resource
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.0 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-16T17:06:43.013Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/16/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0915",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T16:03:19.464174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T16:03:52.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Morgenstern, Aisle Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver."
}
],
"value": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library\u0027s DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver."
}
],
"impacts": [
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T22:08:41.630Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-0915",
"datePublished": "2026-01-15T22:08:41.630Z",
"dateReserved": "2026-01-13T19:02:42.388Z",
"dateUpdated": "2026-01-20T16:03:52.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0861 (GCVE-0-2026-0861)
Vulnerability from cvelistv5 – Published: 2026-01-14 21:01 – Updated: 2026-01-16 17:06- CWE-190 - Integer Overflow or Wraparound
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.30 , ≤ 2.42
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-0861",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T21:24:01.342438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T21:25:55.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-16T17:06:42.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/16/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThanOrEqual": "2.42",
"status": "affected",
"version": "2.30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Morgenstern, Aisle Research"
}
],
"datePublic": "2026-01-14T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\u003cbr\u003e\u003cbr\u003eNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u0026lt;\u0026lt;62+ 1, 1\u0026lt;\u0026lt;63] and exactly 1\u0026lt;\u0026lt;63 for posix_memalign and aligned_alloc.\u003cbr\u003e\u003cbr\u003eTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments."
}
],
"value": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:37:33.544Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33796"
},
{
"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer overflow in memalign leads to heap corruption",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2026-0861",
"datePublished": "2026-01-14T21:01:11.037Z",
"dateReserved": "2026-01-12T14:35:11.285Z",
"dateUpdated": "2026-01-16T17:06:42.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5745 (GCVE-0-2025-5745)
Vulnerability from cvelistv5 – Published: 2025-06-05 19:20 – Updated: 2025-06-05 20:13- CWE-665 - Improper Initialization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.40
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T20:11:39.550335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T20:13:51.068Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Power10"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"status": "affected",
"version": "2.40",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-05T02:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"value": "The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T19:20:57.253Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33060"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the \u003ccode\u003eglibc.cpu.hwcaps\u003c/code\u003e tunable. This can be done by exporting the \u003ccode\u003eGLIBC_TUNABLES\u003c/code\u003e environment variable like so:\u003cbr\u003e\u003cbr\u003e\n\n\u003ccode\u003e\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1\u003c/code\u003e"
}
],
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the glibc.cpu.hwcaps tunable. This can be done by exporting the GLIBC_TUNABLES environment variable like so:\n\n\n\n\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-5745",
"datePublished": "2025-06-05T19:20:23.405Z",
"dateReserved": "2025-06-05T19:15:09.234Z",
"dateUpdated": "2025-06-05T20:13:51.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5702 (GCVE-0-2025-5702)
Vulnerability from cvelistv5 – Published: 2025-06-05 18:23 – Updated: 2025-06-05 20:21- CWE-665 - Improper Initialization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.39
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T20:17:18.849567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T20:21:44.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Power10"
],
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"status": "affected",
"version": "2.39",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-06-05T02:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"value": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T18:23:57.872Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33056"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the \u003ccode\u003eglibc.cpu.hwcaps\u003c/code\u003e tunable. This can be done by exporting the \u003ccode\u003eGLIBC_TUNABLES\u003c/code\u003e environment variable like so:\u003cbr\u003e\u003cbr\u003e\n\n\u003ccode\u003e\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1\u003c/code\u003e"
}
],
"value": "One may disable the Power10 optimized string routines in glibc to work around this issue, by setting the glibc.cpu.hwcaps tunable. This can be done by exporting the GLIBC_TUNABLES environment variable like so:\n\n\n\n\nexport GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-5702",
"datePublished": "2025-06-05T18:23:57.872Z",
"dateReserved": "2025-06-04T21:57:13.818Z",
"dateUpdated": "2025-06-05T20:21:44.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4802 (GCVE-0-2025-4802)
Vulnerability from cvelistv5 – Published: 2025-05-16 19:32 – Updated: 2026-02-26 18:28- CWE-426 - Untrusted Search Path
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The GNU C Library | glibc |
Affected:
2.27 , < 2.39
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:04:41.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/16/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/17/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-26T03:55:54.573371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T18:28:07.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "glibc",
"vendor": "The GNU C Library",
"versions": [
{
"lessThan": "2.39",
"status": "affected",
"version": "2.27",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-05-16T19:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
}
],
"value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."
}
],
"impacts": [
{
"capecId": "CAPEC-13",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-13 Subverting Environment Variable Values"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "CWE-426 Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T19:32:50.586Z",
"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"shortName": "glibc"
},
"references": [
{
"url": "https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e"
},
{
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32976"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
"assignerShortName": "glibc",
"cveId": "CVE-2025-4802",
"datePublished": "2025-05-16T19:32:50.586Z",
"dateReserved": "2025-05-15T21:32:45.284Z",
"dateUpdated": "2026-02-26T18:28:07.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
VAR-201706-0334
Vulnerability from variot - Updated: 2026-04-10 22:46glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. glibc Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GNU glibc is prone to local memory-corruption vulnerability. An attacker could exploit this issue to execute arbitrary code in the context of the application. GNU glibc 2.25 and prior versions are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: glibc security update Advisory ID: RHSA-2017:1479-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:1479 Issue date: 2017-06-19 CVE Names: CVE-2017-1000366 =====================================================================
- Summary:
An update for glibc is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 5.9 Long Life, Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, Red Hat Enterprise Linux 6.7 Extended Update Support, and Red Hat Enterprise Linux 7.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux ComputeNode EUS (v. 7.2) - x86_64 Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.2) - x86_64 Red Hat Enterprise Linux HPC Node EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7) - x86_64 Red Hat Enterprise Linux Long Life (v. 5.9 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server (v. 5 ELS) - i386, s390x, x86_64 Red Hat Enterprise Linux Server AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server AUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server AUS (v. 6.5) - x86_64 Red Hat Enterprise Linux Server AUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server EUS (v. 6.7) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 7.2) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.4) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.5) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.7) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 7.2) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 6.5) - x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 6.6) - x86_64 Red Hat Enterprise Linux Server TUS (v. 6.5) - x86_64 Red Hat Enterprise Linux Server TUS (v. 6.6) - x86_64
- Description:
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366)
Red Hat would like to thank Qualys Research Labs for reporting this issue.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1452543 - CVE-2017-1000366 glibc: heap/stack gap jumping via unbounded stack allocations
- Package List:
Red Hat Enterprise Linux Long Life (v. 5.9 server):
Source: glibc-2.5-107.el5_9.9.src.rpm
i386: glibc-2.5-107.el5_9.9.i386.rpm glibc-2.5-107.el5_9.9.i686.rpm glibc-common-2.5-107.el5_9.9.i386.rpm glibc-debuginfo-2.5-107.el5_9.9.i386.rpm glibc-debuginfo-2.5-107.el5_9.9.i686.rpm glibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm glibc-devel-2.5-107.el5_9.9.i386.rpm glibc-headers-2.5-107.el5_9.9.i386.rpm glibc-utils-2.5-107.el5_9.9.i386.rpm nscd-2.5-107.el5_9.9.i386.rpm
ia64: glibc-2.5-107.el5_9.9.i686.rpm glibc-2.5-107.el5_9.9.ia64.rpm glibc-common-2.5-107.el5_9.9.ia64.rpm glibc-debuginfo-2.5-107.el5_9.9.i686.rpm glibc-debuginfo-2.5-107.el5_9.9.ia64.rpm glibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm glibc-devel-2.5-107.el5_9.9.ia64.rpm glibc-headers-2.5-107.el5_9.9.ia64.rpm glibc-utils-2.5-107.el5_9.9.ia64.rpm nscd-2.5-107.el5_9.9.ia64.rpm
x86_64: glibc-2.5-107.el5_9.9.i686.rpm glibc-2.5-107.el5_9.9.x86_64.rpm glibc-common-2.5-107.el5_9.9.x86_64.rpm glibc-debuginfo-2.5-107.el5_9.9.i386.rpm glibc-debuginfo-2.5-107.el5_9.9.i686.rpm glibc-debuginfo-2.5-107.el5_9.9.x86_64.rpm glibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm glibc-devel-2.5-107.el5_9.9.i386.rpm glibc-devel-2.5-107.el5_9.9.x86_64.rpm glibc-headers-2.5-107.el5_9.9.x86_64.rpm glibc-utils-2.5-107.el5_9.9.x86_64.rpm nscd-2.5-107.el5_9.9.x86_64.rpm
Red Hat Enterprise Linux Server (v. 5 ELS):
Source: glibc-2.5-123.el5_11.4.src.rpm
i386: glibc-2.5-123.el5_11.4.i386.rpm glibc-2.5-123.el5_11.4.i686.rpm glibc-common-2.5-123.el5_11.4.i386.rpm glibc-debuginfo-2.5-123.el5_11.4.i386.rpm glibc-debuginfo-2.5-123.el5_11.4.i686.rpm glibc-debuginfo-common-2.5-123.el5_11.4.i386.rpm glibc-devel-2.5-123.el5_11.4.i386.rpm glibc-headers-2.5-123.el5_11.4.i386.rpm glibc-utils-2.5-123.el5_11.4.i386.rpm nscd-2.5-123.el5_11.4.i386.rpm
s390x: glibc-2.5-123.el5_11.4.s390.rpm glibc-2.5-123.el5_11.4.s390x.rpm glibc-common-2.5-123.el5_11.4.s390x.rpm glibc-debuginfo-2.5-123.el5_11.4.s390.rpm glibc-debuginfo-2.5-123.el5_11.4.s390x.rpm glibc-devel-2.5-123.el5_11.4.s390.rpm glibc-devel-2.5-123.el5_11.4.s390x.rpm glibc-headers-2.5-123.el5_11.4.s390x.rpm glibc-utils-2.5-123.el5_11.4.s390x.rpm nscd-2.5-123.el5_11.4.s390x.rpm
x86_64: glibc-2.5-123.el5_11.4.i686.rpm glibc-2.5-123.el5_11.4.x86_64.rpm glibc-common-2.5-123.el5_11.4.x86_64.rpm glibc-debuginfo-2.5-123.el5_11.4.i386.rpm glibc-debuginfo-2.5-123.el5_11.4.i686.rpm glibc-debuginfo-2.5-123.el5_11.4.x86_64.rpm glibc-debuginfo-common-2.5-123.el5_11.4.i386.rpm glibc-devel-2.5-123.el5_11.4.i386.rpm glibc-devel-2.5-123.el5_11.4.x86_64.rpm glibc-headers-2.5-123.el5_11.4.x86_64.rpm glibc-utils-2.5-123.el5_11.4.x86_64.rpm nscd-2.5-123.el5_11.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node EUS (v. 6.7):
Source: glibc-2.12-1.166.el6_7.8.src.rpm
x86_64: glibc-2.12-1.166.el6_7.8.i686.rpm glibc-2.12-1.166.el6_7.8.x86_64.rpm glibc-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-devel-2.12-1.166.el6_7.8.i686.rpm glibc-devel-2.12-1.166.el6_7.8.x86_64.rpm glibc-headers-2.12-1.166.el6_7.8.x86_64.rpm glibc-utils-2.12-1.166.el6_7.8.x86_64.rpm nscd-2.12-1.166.el6_7.8.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional EUS (v. 6.7):
x86_64: glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-static-2.12-1.166.el6_7.8.i686.rpm glibc-static-2.12-1.166.el6_7.8.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.2):
Source: glibc-2.12-1.47.el6_2.18.src.rpm
x86_64: glibc-2.12-1.47.el6_2.18.i686.rpm glibc-2.12-1.47.el6_2.18.x86_64.rpm glibc-common-2.12-1.47.el6_2.18.x86_64.rpm glibc-debuginfo-2.12-1.47.el6_2.18.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.18.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.18.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.18.x86_64.rpm glibc-devel-2.12-1.47.el6_2.18.i686.rpm glibc-devel-2.12-1.47.el6_2.18.x86_64.rpm glibc-headers-2.12-1.47.el6_2.18.x86_64.rpm glibc-utils-2.12-1.47.el6_2.18.x86_64.rpm nscd-2.12-1.47.el6_2.18.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.4):
Source: glibc-2.12-1.107.el6_4.10.src.rpm
x86_64: glibc-2.12-1.107.el6_4.10.i686.rpm glibc-2.12-1.107.el6_4.10.x86_64.rpm glibc-common-2.12-1.107.el6_4.10.x86_64.rpm glibc-debuginfo-2.12-1.107.el6_4.10.i686.rpm glibc-debuginfo-2.12-1.107.el6_4.10.x86_64.rpm glibc-debuginfo-common-2.12-1.107.el6_4.10.i686.rpm glibc-debuginfo-common-2.12-1.107.el6_4.10.x86_64.rpm glibc-devel-2.12-1.107.el6_4.10.i686.rpm glibc-devel-2.12-1.107.el6_4.10.x86_64.rpm glibc-headers-2.12-1.107.el6_4.10.x86_64.rpm glibc-utils-2.12-1.107.el6_4.10.x86_64.rpm nscd-2.12-1.107.el6_4.10.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.5):
Source: glibc-2.12-1.132.el6_5.9.src.rpm
x86_64: glibc-2.12-1.132.el6_5.9.i686.rpm glibc-2.12-1.132.el6_5.9.x86_64.rpm glibc-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-devel-2.12-1.132.el6_5.9.i686.rpm glibc-devel-2.12-1.132.el6_5.9.x86_64.rpm glibc-headers-2.12-1.132.el6_5.9.x86_64.rpm glibc-utils-2.12-1.132.el6_5.9.x86_64.rpm nscd-2.12-1.132.el6_5.9.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 6.5):
Source: glibc-2.12-1.132.el6_5.9.src.rpm
x86_64: glibc-2.12-1.132.el6_5.9.i686.rpm glibc-2.12-1.132.el6_5.9.x86_64.rpm glibc-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-devel-2.12-1.132.el6_5.9.i686.rpm glibc-devel-2.12-1.132.el6_5.9.x86_64.rpm glibc-headers-2.12-1.132.el6_5.9.x86_64.rpm glibc-utils-2.12-1.132.el6_5.9.x86_64.rpm nscd-2.12-1.132.el6_5.9.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 6.6):
Source: glibc-2.12-1.149.el6_6.12.src.rpm
x86_64: glibc-2.12-1.149.el6_6.12.i686.rpm glibc-2.12-1.149.el6_6.12.x86_64.rpm glibc-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-devel-2.12-1.149.el6_6.12.i686.rpm glibc-devel-2.12-1.149.el6_6.12.x86_64.rpm glibc-headers-2.12-1.149.el6_6.12.x86_64.rpm glibc-utils-2.12-1.149.el6_6.12.x86_64.rpm nscd-2.12-1.149.el6_6.12.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 6.6):
Source: glibc-2.12-1.149.el6_6.12.src.rpm
x86_64: glibc-2.12-1.149.el6_6.12.i686.rpm glibc-2.12-1.149.el6_6.12.x86_64.rpm glibc-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-devel-2.12-1.149.el6_6.12.i686.rpm glibc-devel-2.12-1.149.el6_6.12.x86_64.rpm glibc-headers-2.12-1.149.el6_6.12.x86_64.rpm glibc-utils-2.12-1.149.el6_6.12.x86_64.rpm nscd-2.12-1.149.el6_6.12.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 6.7):
Source: glibc-2.12-1.166.el6_7.8.src.rpm
i386: glibc-2.12-1.166.el6_7.8.i686.rpm glibc-common-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-devel-2.12-1.166.el6_7.8.i686.rpm glibc-headers-2.12-1.166.el6_7.8.i686.rpm glibc-utils-2.12-1.166.el6_7.8.i686.rpm nscd-2.12-1.166.el6_7.8.i686.rpm
ppc64: glibc-2.12-1.166.el6_7.8.ppc.rpm glibc-2.12-1.166.el6_7.8.ppc64.rpm glibc-common-2.12-1.166.el6_7.8.ppc64.rpm glibc-debuginfo-2.12-1.166.el6_7.8.ppc.rpm glibc-debuginfo-2.12-1.166.el6_7.8.ppc64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.ppc.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.ppc64.rpm glibc-devel-2.12-1.166.el6_7.8.ppc.rpm glibc-devel-2.12-1.166.el6_7.8.ppc64.rpm glibc-headers-2.12-1.166.el6_7.8.ppc64.rpm glibc-utils-2.12-1.166.el6_7.8.ppc64.rpm nscd-2.12-1.166.el6_7.8.ppc64.rpm
s390x: glibc-2.12-1.166.el6_7.8.s390.rpm glibc-2.12-1.166.el6_7.8.s390x.rpm glibc-common-2.12-1.166.el6_7.8.s390x.rpm glibc-debuginfo-2.12-1.166.el6_7.8.s390.rpm glibc-debuginfo-2.12-1.166.el6_7.8.s390x.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.s390.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.s390x.rpm glibc-devel-2.12-1.166.el6_7.8.s390.rpm glibc-devel-2.12-1.166.el6_7.8.s390x.rpm glibc-headers-2.12-1.166.el6_7.8.s390x.rpm glibc-utils-2.12-1.166.el6_7.8.s390x.rpm nscd-2.12-1.166.el6_7.8.s390x.rpm
x86_64: glibc-2.12-1.166.el6_7.8.i686.rpm glibc-2.12-1.166.el6_7.8.x86_64.rpm glibc-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-devel-2.12-1.166.el6_7.8.i686.rpm glibc-devel-2.12-1.166.el6_7.8.x86_64.rpm glibc-headers-2.12-1.166.el6_7.8.x86_64.rpm glibc-utils-2.12-1.166.el6_7.8.x86_64.rpm nscd-2.12-1.166.el6_7.8.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 6.2):
Source: glibc-2.12-1.47.el6_2.18.src.rpm
x86_64: glibc-debuginfo-2.12-1.47.el6_2.18.i686.rpm glibc-debuginfo-2.12-1.47.el6_2.18.x86_64.rpm glibc-debuginfo-common-2.12-1.47.el6_2.18.i686.rpm glibc-debuginfo-common-2.12-1.47.el6_2.18.x86_64.rpm glibc-static-2.12-1.47.el6_2.18.i686.rpm glibc-static-2.12-1.47.el6_2.18.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 6.4):
Source: glibc-2.12-1.107.el6_4.10.src.rpm
x86_64: glibc-debuginfo-2.12-1.107.el6_4.10.i686.rpm glibc-debuginfo-2.12-1.107.el6_4.10.x86_64.rpm glibc-debuginfo-common-2.12-1.107.el6_4.10.i686.rpm glibc-debuginfo-common-2.12-1.107.el6_4.10.x86_64.rpm glibc-static-2.12-1.107.el6_4.10.i686.rpm glibc-static-2.12-1.107.el6_4.10.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 6.5):
Source: glibc-2.12-1.132.el6_5.9.src.rpm
x86_64: glibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-static-2.12-1.132.el6_5.9.i686.rpm glibc-static-2.12-1.132.el6_5.9.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 6.5):
Source: glibc-2.12-1.132.el6_5.9.src.rpm
x86_64: glibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm glibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm glibc-static-2.12-1.132.el6_5.9.i686.rpm glibc-static-2.12-1.132.el6_5.9.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 6.6):
x86_64: glibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-static-2.12-1.149.el6_6.12.i686.rpm glibc-static-2.12-1.149.el6_6.12.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 6.6):
x86_64: glibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm glibc-static-2.12-1.149.el6_6.12.i686.rpm glibc-static-2.12-1.149.el6_6.12.x86_64.rpm
Red Hat Enterprise Linux Server Optional EUS (v. 6.7):
i386: glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-static-2.12-1.166.el6_7.8.i686.rpm
ppc64: glibc-debuginfo-2.12-1.166.el6_7.8.ppc.rpm glibc-debuginfo-2.12-1.166.el6_7.8.ppc64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.ppc.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.ppc64.rpm glibc-static-2.12-1.166.el6_7.8.ppc.rpm glibc-static-2.12-1.166.el6_7.8.ppc64.rpm
s390x: glibc-debuginfo-2.12-1.166.el6_7.8.s390.rpm glibc-debuginfo-2.12-1.166.el6_7.8.s390x.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.s390.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.s390x.rpm glibc-static-2.12-1.166.el6_7.8.s390.rpm glibc-static-2.12-1.166.el6_7.8.s390x.rpm
x86_64: glibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm glibc-static-2.12-1.166.el6_7.8.i686.rpm glibc-static-2.12-1.166.el6_7.8.x86_64.rpm
Red Hat Enterprise Linux ComputeNode EUS (v. 7.2):
Source: glibc-2.17-106.el7_2.9.src.rpm
x86_64: glibc-2.17-106.el7_2.9.i686.rpm glibc-2.17-106.el7_2.9.x86_64.rpm glibc-common-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm glibc-devel-2.17-106.el7_2.9.i686.rpm glibc-devel-2.17-106.el7_2.9.x86_64.rpm glibc-headers-2.17-106.el7_2.9.x86_64.rpm glibc-utils-2.17-106.el7_2.9.x86_64.rpm nscd-2.17-106.el7_2.9.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.2):
x86_64: glibc-debuginfo-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm glibc-static-2.17-106.el7_2.9.i686.rpm glibc-static-2.17-106.el7_2.9.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 7.2):
Source: glibc-2.17-106.el7_2.9.src.rpm
ppc64: glibc-2.17-106.el7_2.9.ppc.rpm glibc-2.17-106.el7_2.9.ppc64.rpm glibc-common-2.17-106.el7_2.9.ppc64.rpm glibc-debuginfo-2.17-106.el7_2.9.ppc.rpm glibc-debuginfo-2.17-106.el7_2.9.ppc64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc64.rpm glibc-devel-2.17-106.el7_2.9.ppc.rpm glibc-devel-2.17-106.el7_2.9.ppc64.rpm glibc-headers-2.17-106.el7_2.9.ppc64.rpm glibc-utils-2.17-106.el7_2.9.ppc64.rpm nscd-2.17-106.el7_2.9.ppc64.rpm
ppc64le: glibc-2.17-106.el7_2.9.ppc64le.rpm glibc-common-2.17-106.el7_2.9.ppc64le.rpm glibc-debuginfo-2.17-106.el7_2.9.ppc64le.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc64le.rpm glibc-devel-2.17-106.el7_2.9.ppc64le.rpm glibc-headers-2.17-106.el7_2.9.ppc64le.rpm glibc-utils-2.17-106.el7_2.9.ppc64le.rpm nscd-2.17-106.el7_2.9.ppc64le.rpm
s390x: glibc-2.17-106.el7_2.9.s390.rpm glibc-2.17-106.el7_2.9.s390x.rpm glibc-common-2.17-106.el7_2.9.s390x.rpm glibc-debuginfo-2.17-106.el7_2.9.s390.rpm glibc-debuginfo-2.17-106.el7_2.9.s390x.rpm glibc-debuginfo-common-2.17-106.el7_2.9.s390.rpm glibc-debuginfo-common-2.17-106.el7_2.9.s390x.rpm glibc-devel-2.17-106.el7_2.9.s390.rpm glibc-devel-2.17-106.el7_2.9.s390x.rpm glibc-headers-2.17-106.el7_2.9.s390x.rpm glibc-utils-2.17-106.el7_2.9.s390x.rpm nscd-2.17-106.el7_2.9.s390x.rpm
x86_64: glibc-2.17-106.el7_2.9.i686.rpm glibc-2.17-106.el7_2.9.x86_64.rpm glibc-common-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm glibc-devel-2.17-106.el7_2.9.i686.rpm glibc-devel-2.17-106.el7_2.9.x86_64.rpm glibc-headers-2.17-106.el7_2.9.x86_64.rpm glibc-utils-2.17-106.el7_2.9.x86_64.rpm nscd-2.17-106.el7_2.9.x86_64.rpm
Red Hat Enterprise Linux Server Optional EUS (v. 7.2):
ppc64: glibc-debuginfo-2.17-106.el7_2.9.ppc.rpm glibc-debuginfo-2.17-106.el7_2.9.ppc64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc64.rpm glibc-static-2.17-106.el7_2.9.ppc.rpm glibc-static-2.17-106.el7_2.9.ppc64.rpm
ppc64le: glibc-debuginfo-2.17-106.el7_2.9.ppc64le.rpm glibc-debuginfo-common-2.17-106.el7_2.9.ppc64le.rpm glibc-static-2.17-106.el7_2.9.ppc64le.rpm
s390x: glibc-debuginfo-2.17-106.el7_2.9.s390.rpm glibc-debuginfo-2.17-106.el7_2.9.s390x.rpm glibc-debuginfo-common-2.17-106.el7_2.9.s390.rpm glibc-debuginfo-common-2.17-106.el7_2.9.s390x.rpm glibc-static-2.17-106.el7_2.9.s390.rpm glibc-static-2.17-106.el7_2.9.s390x.rpm
x86_64: glibc-debuginfo-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm glibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm glibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm glibc-static-2.17-106.el7_2.9.i686.rpm glibc-static-2.17-106.el7_2.9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2017-1000366 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/stackguard
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFZSDV3XlSAg2UNWIIRAibeAKC2QtxViqngTTBVM9fvG1XjRCkgwACgrHP1 PVr1sUH9RUhxrQOKQqWtnKY= =ywUB -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . For the full details, please refer to their advisory published at: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
For the oldstable distribution (jessie), this problem has been fixed in version 2.19-18+deb8u10.
For the stable distribution (stretch), this problem has been fixed in version 2.24-11+deb9u1.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your glibc packages.
Gentoo Linux Security Advisory GLSA 201706-19
https://security.gentoo.org/
Severity: High Title: GNU C Library: Multiple vulnerabilities Date: June 20, 2017 Bugs: #608698, #608706, #622220 ID: 201706-19
Synopsis
Multiple vulnerabilities have been found in the GNU C Library, the worst of which may allow execution of arbitrary code.
Background
The GNU C library is the standard C library used by Gentoo Linux systems.
Workaround
There is no known workaround at this time.
Resolution
All GNU C Library users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.23-r4"
References
[ 1 ] CVE-2015-5180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5180 [ 2 ] CVE-2016-6323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6323 [ 3 ] CVE-2017-1000366 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000366 [ 4 ] Qualys Security Advisory - The Stack Clash https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201706-19
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--cxbO5eT2swQBqr8k9tc6wcfapgLAJb4xR--
. Qualys Security Advisory
The Stack Clash
======================================================================== Contents ========================================================================
I. Introduction II. Problem II.1. Automatic stack expansion II.2. Stack guard-page II.3. Stack-clash exploitation III. Solutions IV. Results IV.1. Linux IV.2. OpenBSD IV.3. NetBSD IV.4. FreeBSD IV.5. Solaris V. Acknowledgments
======================================================================== I. Introduction ========================================================================
Our research started with a 96-megabyte surprise:
b97bb000-b97dc000 rw-p 00000000 00:00 0 [heap] bf7c6000-bf806000 rw-p 00000000 00:00 0 [stack]
and a 12-year-old question: "If the heap grows up, and the stack grows down, what happens when they clash? Is it exploitable? How?"
- In 2005, Gael Delalleau presented "Large memory management vulnerabilities" and the first stack-clash exploit in user-space (against mod_php 4.3.0 on Apache 2.0.53):
http://cansecwest.com/core05/memory_vulns_delalleau.pdf
- In 2010, Rafal Wojtczuk published "Exploiting large memory management vulnerabilities in Xorg server running on Linux", the second stack-clash exploit in user-space (CVE-2010-2240):
http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf
- Since 2010, security researchers have exploited several stack-clashes in the kernel-space; for example:
https://jon.oberheide.org/blog/2010/11/29/exploiting-stack-overflows-in-the-linux-kernel/ https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html
In user-space, however, this problem has been greatly underestimated; the only public exploits are Gael Delalleau's and Rafal Wojtczuk's, and they were written before Linux introduced a protection against stack-clashes (a "guard-page" mapped below the stack):
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2240
In this advisory, we show that stack-clashes are widespread in user-space, and exploitable despite the stack guard-page; we discovered multiple vulnerabilities in guard-page implementations, and devised general methods for:
-
"Clashing" the stack with another memory region: we allocate memory until the stack reaches another memory region, or until another memory region reaches the stack;
-
"Jumping" over the stack guard-page: we move the stack-pointer from the stack and into the other memory region, without accessing the stack guard-page;
-
"Smashing" the stack, or the other memory region: we overwrite the stack with the other memory region, or the other memory region with the stack.
To illustrate our findings, we developed the following exploits and proofs-of-concepts:
-
a local-root exploit against Exim (CVE-2017-1000369, CVE-2017-1000376) on i386 Debian;
-
a local-root exploit against Sudo (CVE-2017-1000367, CVE-2017-1000366) on i386 Debian, Ubuntu, CentOS;
-
an independent Sudoer-to-root exploit against CVE-2017-1000367 on any SELinux-enabled distribution;
-
a local-root exploit against ld.so and most SUID-root binaries (CVE-2017-1000366, CVE-2017-1000370) on i386 Debian, Fedora, CentOS;
-
a local-root exploit against ld.so and most SUID-root PIEs (CVE-2017-1000366, CVE-2017-1000371) on i386 Debian, Ubuntu, Fedora;
-
a local-root exploit against /bin/su (CVE-2017-1000366, CVE-2017-1000365) on i386 Debian;
-
a proof-of-concept that gains eip control against Sudo on i386 grsecurity/PaX (CVE-2017-1000367, CVE-2017-1000366, CVE-2017-1000377);
-
a local proof-of-concept that gains rip control against Exim (CVE-2017-1000369) on amd64 Debian;
-
a local-root exploit against ld.so and most SUID-root binaries (CVE-2017-1000366, CVE-2017-1000379) on amd64 Debian, Ubuntu, Fedora, CentOS;
-
a proof-of-concept against /usr/bin/at on i386 OpenBSD, for CVE-2017-1000372 in OpenBSD's stack guard-page implementation and CVE-2017-1000373 in OpenBSD's qsort() function;
-
a proof-of-concept for CVE-2017-1000374 and CVE-2017-1000375 in NetBSD's stack guard-page implementation;
-
a proof-of-concept for CVE-2017-1085 in FreeBSD's setrlimit() RLIMIT_STACK implementation;
-
two proofs-of-concept for CVE-2017-1083 and CVE-2017-1084 in FreeBSD's stack guard-page implementation;
-
a local-root exploit against /usr/bin/rsh (CVE-2017-3630, CVE-2017-3629, CVE-2017-3631) on Solaris 11.
======================================================================== II. Problem ========================================================================
Note: in this advisory, the "start of the stack" is the lowest address of its memory region, and the "end of the stack" is the highest address of its memory region; we do not use the ambiguous terms "top of the stack" and "bottom of the stack".
======================================================================== II.1. Automatic stack expansion ========================================================================
The user-space stack of a process is automatically expanded by the kernel:
-
if the stack-pointer (the esp register, on i386) reaches the start of the stack and the unmapped memory pages below (the stack grows down, on i386),
-
then a "page-fault" exception is raised and caught by the kernel,
-
and the page-fault handler transparently expands the user-space stack of the process (it decreases the start address of the stack),
-
or it terminates the process with a SIGSEGV if the stack expansion fails (for example, if the RLIMIT_STACK is reached).
Unfortunately, this stack expansion mechanism is implicit and fragile: it relies on page-fault exceptions, but if another memory region is mapped directly below the stack, then the stack-pointer can move from the stack into the other memory region without raising a page-fault, and:
-
the kernel cannot tell that the process needed more stack memory;
-
the process cannot tell that its stack-pointer moved from the stack into another memory region.
In contrast, the heap expansion mechanism is explicit and robust: the process uses the brk() system-call to tell the kernel that it needs more heap memory, and the kernel expands the heap accordingly (it increases the end address of the heap memory region -- the heap always grows up).
======================================================================== II.2. Stack guard-page ========================================================================
The fragile stack expansion mechanism poses a security threat: if the stack-pointer of a process can move from the stack into another memory region (which ends exactly where the stack starts) without raising a page-fault, then:
-
the process uses this other memory region as if it were an extension of the stack;
-
a write to this stack extension smashes the other memory region;
-
a write to the other memory region smashes the stack extension.
To protect against this security threat, the kernel maps a "guard-page" below the start of the stack: one or more PROT_NONE pages (or unmappable pages) that:
-
raise a page-fault exception if accessed (before the stack-pointer can move from the stack into another memory region);
-
terminate the process with a SIGSEGV (because the page-fault handler cannot expand the stack if another memory region is mapped directly below).
Unfortunately, a stack guard-page of a few kilobytes is insufficient (CVE-2017-1000364): if the stack-pointer "jumps" over the guard-page -- if it moves from the stack into another memory region without accessing the guard-page -- then no page-fault exception is raised and the stack extends into the other memory region.
This theoretical vulnerability was first described in Gael Delalleau's 2005 presentation (slides 24-29). In the present advisory, we discuss its practicalities, and multiple vulnerabilities in stack guard-page implementations (in OpenBSD, NetBSD, and FreeBSD), but we exclude related vulnerabilities such as unbounded alloca()s and VLAs (Variable-Length Arrays) that have been exploited in the past:
http://phrack.org/issues/63/14.html http://blog.exodusintel.com/2013/01/07/who-was-phone/
======================================================================== II.3. Stack-clash exploitation ========================================================================
Must be a clash, there's no alternative.
--The Clash, "Kingston Advice"
Our exploits follow a series of four sequential steps -- each step allocates memory that must not be freed before all steps are complete:
Step 1: Clash (the stack with another memory region) Step 2: Run (move the stack-pointer to the start of the stack) Step 3: Jump (over the stack guard-page, into the other memory region) Step 4: Smash (the stack, or the other memory region)
======================================================================== II.3.1. Step 1: Clash the stack with another memory region ========================================================================
Have the boys found the leak yet?
--The Clash, "The Leader"
Allocate memory until the start of the stack reaches the end of another memory region, or until the end of another memory region reaches the start of the stack.
-
The other memory region can be, for example: . the heap; . an anonymous mmap(); . the read-write segment of ld.so; . the read-write segment of a PIE, a Position-Independent Executable.
-
The memory allocated in this Step 1 can be, for example: . stack and heap memory; . stack and anonymous mmap() memory; . stack memory only.
-
The heap and anonymous mmap() memory can be:
. temporarily allocated, but not freed before the stack guard-page is jumped over in Step 3 and memory is smashed in Step 4;
. permanently leaked. On Linux, a general method for allocating anonymous mmap()s is the LD_AUDIT memory leak that we discovered in the ld.so part of the glibc, the GNU C Library (CVE-2017-1000366).
- The stack memory can be allocated, for example:
. through megabytes of command-line arguments and environment variables.
On Linux, this general method for allocating stack memory is limited
by the kernel to 1/4 of the current RLIMIT_STACK (1GB on i386 if
RLIMIT_STACK is RLIM_INFINITY -- man execve, "Limits on size of
arguments and environment").
However, as we were drafting this advisory, we realized that the
kernel imposes this limit on the argument and environment strings,
but not on the argv[] and envp[] pointers to these strings, and we
developed alternative versions of our Linux exploits that do not
depend on application-specific memory leaks (CVE-2017-1000365). through recursive function calls.
On BSD, we discovered a general method for allocating megabytes of
stack memory: a vulnerability in qsort() that causes this function
to recurse N/4 times, given a pathological input array of N elements
(CVE-2017-1000373 in OpenBSD, CVE-2017-1000378 in NetBSD, and
CVE-2017-1082 in FreeBSD).
- In a few rare cases, Step 1 is not needed, because another memory region is naturally mapped directly below the stack (for example, ld.so in our Solaris exploit).
======================================================================== II.3.2. Step 2: Move the stack-pointer to the start of the stack ========================================================================
Run, run, run, run, run, don't you know?
--The Clash, "Three Card Trick"
Consume the unused stack memory that separates the stack-pointer from the start of the stack. This Step 2 is similar to Step 3 ("Jump over the stack guard-page") but is needed because:
- the stack-pointer is usually several kilobytes higher than the start of the stack (functions that allocate a large stack-frame decrease the start address of the stack, but this address is never increased again); moreover:
. the FreeBSD kernel automatically expands the user-space stack of a process by multiples of 128KB (SGROWSIZ, in vm_map_growstack());
. the Linux kernel initially expands the user-space stack of a process by 128KB (stack_expand, in setup_arg_pages()).
- in Step 3, the stack-based buffer used to jump over the guard-page:
. is usually not large enough to simultaneously move the stack-pointer to the start of the stack, and then into another memory region;
. must not be fully written to (a full write would access the stack guard-page and terminate the process) but the stack memory consumed in this Step 2 can be fully written to (for example, strdupa() can be used in Step 2, but not in Step 3).
The stack memory consumed in this Step 2 can be, for example:
-
large stack-frames, alloca()s, or VLAs (which can be detected by grsecurity/PaX's STACKLEAK plugin for GCC, https://grsecurity.net/features.php);
-
recursive function calls (which can be detected by GNU cflow, http://www.gnu.org/software/cflow/);
-
on Linux, we discovered that the argv[] and envp[] arrays of pointers can be used to consume the 128KB of initial stack expansion, because the kernel allocates these arrays on the stack long after the call to setup_arg_pages(); this general method for completing Step 2 is exploitable locally, but the initial stack expansion poses a major obstacle to the remote exploitation of stack-clashes, as mentioned in IV.1.1.
In a few rare cases, Step 2 is not needed, because the stack-pointer is naturally close to the start of the stack (for example, in Exim's main() function, the 256KB group_list[] moves the stack-pointer to the start of the stack and beyond).
======================================================================== II.3.3. Step 3: Jump over the stack guard-page, into another memory region ========================================================================
You need a little jump of electrical shockers.
--The Clash, "Clash City Rockers"
Move the stack-pointer from the stack and into the memory region that clashed with the stack in Step 1, but without accessing the guard-page. To complete this Step 3, a large stack-based buffer, alloca(), or VLA is needed, and:
-
it must be larger than the guard-page;
-
it must end in the stack, above the guard-page;
-
it must start in the memory region below the stack guard-page;
-
it must not be fully written to (a full write would access the guard-page, raise a page-fault exception, and terminate the process, because the memory region mapped directly below the stack prevents the page-fault handler from expanding the stack).
In a few cases, Step 3 is not needed:
-
on FreeBSD, a stack guard-page is implemented but disabled by default (CVE-2017-1083);
-
on OpenBSD, NetBSD, and FreeBSD, we discovered implementation vulnerabilities that eliminate the stack guard-page (CVE-2017-1000372, CVE-2017-1000374, CVE-2017-1084).
On Linux, we devised general methods for jumping over the stack guard-page (CVE-2017-1000366):
- The glibc's __dcigettext() function alloca()tes single_locale, a stack-based buffer of up to 128KB (MAX_ARG_STRLEN, man execve), the length of the LANGUAGE environment variable (if the current locale is neither "C" nor "POSIX", but distributions install default locales such as "C.UTF-8" and "en_US.utf8").
If LANGUAGE is mostly composed of ':' characters, then single_locale is barely written to, and can be used to jump over the stack guard-page.
Moreover, if __dcigettext() finds the message to be translated, then _nl_find_msg() strdup()licates the OUTPUT_CHARSET environment variable and allows a local attacker to immediately smash the stack and gain control of the instruction pointer (the eip register, on i386), as detailed in Step 4a.
We exploited this stack-clash against Sudo and su, but most of the SUID (set-user-ID) and SGID (set-group-ID) binaries that call setlocale(LC_ALL, "") and __dcigettext() or its derivatives (the *gettext() functions, the _() convenience macro, the strerror() function) are exploitable.
- The glibc's vfprintf() function (called by the *printf() family of functions) alloca()tes a stack-based work buffer of up to 64KB (__MAX_ALLOCA_CUTOFF) if a width or precision is greater than 1KB (WORK_BUFFER_SIZE).
If the corresponding format specifier is %s then this work buffer is never written to and can be used to jump over the stack guard-page.
None of our exploits is based on this method, but it was one of our ideas to exploit Exim remotely, as mentioned in IV.1.1.
- The glibc's getaddrinfo() function calls gaih_inet(), which alloca()tes tmpbuf, a stack-based buffer of up to 64KB (__MAX_ALLOCA_CUTOFF) that may be used to jump over the stack guard-page.
Moreover, gaih_inet() calls the gethostbyname*() functions, which malloc()ate a heap-based DNS response of up to 64KB (MAXPACKET) that may allow a remote attacker to immediately smash the stack, as detailed in Step 4a.
None of our exploits is based on this method, but it may be the key to the remote exploitation of stack-clashes.
- The glibc's run-time dynamic linker ld.so alloca()tes llp_tmp, a stack-based copy of the LD_LIBRARY_PATH environment variable. If LD_LIBRARY_PATH contains Dynamic String Tokens (DSTs), they are first expanded: llp_tmp can be larger than 128KB (MAX_ARG_STRLEN) and not fully written to, and can therefore be used to jump over the stack guard-page and smash the memory region mapped directly below, as detailed in Step 4b.
We exploited this ld.so stack-clash in two data-only attacks that bypass NX (No-eXecute) and ASLR (Address Space Layout Randomization) and obtain a privileged shell through most SUID and SGID binaries on most i386 Linux distributions.
- Several local and remote applications allocate a 256KB stack-based "gid_t buffer[NGROUPS_MAX];" that is not fully written to and can be used to move the stack-pointer to the start of the stack (Step 2) and jump over the guard-page (Step 3). For example, Exim's main() function and older versions of util-linux's su.
None of our exploits is based on this method, but an experimental version of our Exim exploit unexpectedly gained control of eip after the group_list[] buffer had jumped over the stack guard-page.
======================================================================== II.3.4. Step 4: Either smash the stack with another memory region (Step 4a) or smash another memory region with the stack (Step 4b) ========================================================================
Smash and grab, it's that kind of world.
--The Clash, "One Emotion"
In Step 3, a function allocates a large stack-based buffer and jumps over the stack guard-page into the memory region mapped directly below; in Step 4, before this function returns and jumps back into the stack:
- Step 4a: a write to the memory region mapped below the stack (where esp still points to) effectively smashes the stack. We exploit this general method for completing Step 4 in Exim, Sudo, and su:
. we overwrite a return-address on the stack and gain control of eip;
. we return-into-libc (into system() or __libc_dlopen()) to defeat NX;
. we brute-force ASLR (8 bits of entropy) if CVE-2016-3672 is patched;
. we bypass SSP (Stack-Smashing Protector) because we overwrite the return-address of a function that is not protected by a stack canary (the memcpy() that smashes the stack usually overwrites its own stack-frame and return-address).
- Step 4b: a write to the stack effectively smashes the memory region mapped below (where esp still points to). This second method for completing Step 4 is application-specific (it depends on the contents of the memory region that we smash) unless we exploit the run-time dynamic linker ld.so:
. on Solaris, we devised a general method for smashing ld.so's read-write segment, overwriting one of its function pointers, and executing our own shell-code;
. on Linux, we exploited most SUID and SGID binaries through ld.so: our "hwcap" exploit smashes an mmap()ed string, and our ".dynamic" exploit smashes a PIE's read-write segment before it is mprotect()ed read-only by Full RELRO (Full RELocate Read-Only -- GNU_RELRO and BIND_NOW).
======================================================================== III. Solutions ========================================================================
Based on our research, we recommend that the affected operating systems:
- Increase the size of the stack guard-page to at least 1MB, and allow system administrators to easily modify this value (for example, grsecurity/PaX introduced /proc/sys/vm/heap_stack_gap in 2010).
This first, short-term solution is cheap, but it can be defeated by a very large stack-based buffer.
- Recompile all userland code (ld.so, libraries, binaries) with GCC's "-fstack-check" option, which prevents the stack-pointer from moving into another memory region without accessing the stack guard-page (it writes one word to every 4KB page allocated on the stack).
This second, long-term solution is expensive, but it cannot be defeated (even if the stack guard-page is only 4KB, one page) -- unless a vulnerability is discovered in the implementation of the stack guard-page or the "-fstack-check" option.
======================================================================== IV. Results ========================================================================
======================================================================== IV.1. Linux ========================================================================
======================================================================== IV.1.1. Exim ========================================================================
Debian 8.5
Crude exploitation
Our first exploit, a Local Privilege Escalation against Exim's SUID-root PIE (Position-Independent Executable) on i386 Debian 8.5, simply follows the four sequential steps outlined in II.3.
Step 1: Clash the stack with the heap
To reach the start of the stack with the end of the heap (man brk), we permanently leak memory through multiple -p command-line arguments that are malloc()ated by Exim but never free()d (CVE-2017-1000369) -- we call such a malloc()ated chunk of heap memory a "memleak-chunk".
Because the -p argument strings are originally allocated on the stack by execve(), we must cover half of the initial heap-stack distance (between the start of the heap and the end of the stack) with stack memory, and half of this distance with heap memory.
If we set the RLIMIT_STACK to 136MB (MIN_GAP, arch/x86/mm/mmap.c) then the initial heap-stack distance is minimal (randomized in a [96MB,137MB] range), but we cannot reach the stack with the heap because of the 1/4 limit imposed by the kernel on the argument and environment strings (man execve): 136MB/4=34MB of -p argument strings cannot cover 96MB/2=48MB, half of the minimum heap-stack distance.
Moreover, if we increase the RLIMIT_STACK, the initial heap-stack distance also increases and we still cannot reach the stack with the heap. However, if we set the RLIMIT_STACK to RLIM_INFINITY (4GB on i386) then the kernel switches from the default top-down mmap() layout to a legacy bottom-up mmap() layout, and:
-
the initial heap-stack distance is approximately 2GB, because the start of the heap (the initial brk()) is randomized above the address 0x40000000, and the end of the stack is randomized below the address 0xC0000000;
-
we can reach the stack with the heap, despite the 1/4 limit imposed by the kernel on the argument and environment strings, because 4GB/4=1GB of -p argument strings can cover 2GB/2=1GB, half of the initial heap-stack distance;
-
we clash the stack with the heap around the address 0x80000000.
Step 2: Move the stack-pointer (esp) to the start of the stack
The 256KB stack-based group_list[] in Exim's main() naturally consumes the 128KB of initial stack expansion, as mentioned in II.3.2.
Step 3: Jump over the stack guard-page and into the heap
To move esp from the start of the stack into the heap, without accessing the stack guard-page, we use a malformed -d command-line argument that is written to the 32KB (STRING_SPRINTF_BUFFER_SIZE) stack-based buffer in Exim's string_sprintf() function. This buffer is not fully written to and hence does not access the stack guard-page, because our -d argument string is much shorter than 32KB.
Step 4a: Smash the stack with the heap
Before string_sprintf() returns (and moves esp from the heap back into the stack) it calls string_copy(), which malloc()ates and memcpy()es our -d argument string to the end of the heap, where esp still points to -- we call this malloc()ated chunk of heap memory the "smashing-chunk".
This call to memcpy() therefore smashes its own stack-frame (which is not protected by SSP) with the contents of our smashing-chunk, and we overwrite memcpy()'s return-address with the address of libc's system() function (which is not randomized by ASLR because Debian 8.5 is vulnerable to CVE-2016-3672):
-
instead of smashing memcpy()'s stack-frame with an 8-byte pattern (the return-address to system() and its argument) we smash it with a simple 4-byte pattern (the return-address to system()), append "." to the PATH environment variable, and symlink() our exploit to the string that begins at the address of libc's system() function;
-
system() does not drop our escalated root privileges, because Debian's /bin/sh is dash, not bash and its -p option (man bash).
This first version of our Exim exploit obtained a root-shell after nearly a week of failed attempts; to improve this result, we analyzed every step of a successful run.
Refined exploitation
Step 1: Clash the stack with the heap
- The heap must be able to reach the stack [Condition 1]
The start of the heap is randomized in the 32MB range above the end of Exim's PIE (the end of its .bss section), but the growth of the heap is sometimes blocked by libraries that are mmap()ed within the same range (because of the legacy bottom-up mmap() layout). On Debian 8.5, Exim's libraries occupy about 8MB and thus block the growth of the heap with a probability of 8MB/32MB = 1/4.
When the heap is blocked by the libraries, malloc() switches from brk() to mmap()s of 1MB (MMAP_AS_MORECORE_SIZE), and our memory leak reaches the stack with mmap()s instead of the heap. Such a stack-clash is also exploitable, but its probability of success is low, as detailed in IV.1.6., and we therefore discarded this approach.
- The heap must always reach the stack, when not blocked by libraries
Because the initial heap-stack distance (between the start of the heap and the end of the stack) is a random variable:
-
either we allocate the exact amount of heap memory to cover the mean heap-stack distance, but the probability of success of this approach is low and we therefore discarded it;
-
or we allocate enough heap memory to always reach the stack, even when the initial heap-stack distance is maximal; after the heap reaches the stack, our memory leak allocates mmap()s of 1MB above the stack (below 0xC0000000) and below the heap (above the libraries), but it must not exhaust the address-space (the 1GB below 0x40000000 is unmappable);
-
the final heap-stack distance (between the end of the heap and the start of the stack) is also a random variable:
. its minimum value is 8KB (the stack guard-page, plus a safety page imposed by the brk() system-call in mm/mmap.c);
. its maximum value is roughly the size of a memleak-chunk, plus 128KB (DEFAULT_TOP_PAD, malloc/malloc.c).
Step 3: Jump over the stack guard-page and into the heap
-
The stack-pointer must jump over the guard-page and land into the free chunk at the end of the heap (the remainder of the heap after malloc() switches from brk() to mmap()), where both the smashing-chunk and memcpy()'s stack-frame are allocated and overwritten in Step 4a [Condition 2];
-
The write (of approximately smashing-chunk bytes) to string_sprintf()'s stack-based buffer (which starts where the guard-page jump lands) must not crash into the end of the heap [Condition 3].
Step 4a: Smash the stack with the heap
The smashing-chunk must be allocated into the free chunk at the end of the heap:
-
the smashing-chunk must not be allocated into the free chunks left over at the end of the 1MB mmap()s [Condition 4];
-
the memleak-chunks must not be allocated into the free chunk at the end of the heap [Condition 5].
Intuitively, the probability of gaining control of eip depends on the size of the smashing-chunk (the guard-page jump's landing-zone) and the size of the memleak-chunks (which determines the final heap-stack distance).
To maximize this probability, we wrote a helper program that imposes the following conditions on the smashing-chunk and memleak-chunks:
-
the smashing-chunk must be smaller than 32KB (STRING_SPRINTF_BUFFER_SIZE) [Condition 3];
-
the memleak-chunks must be smaller than 128KB (DEFAULT_MMAP_THRESHOLD, malloc/malloc.c);
-
the free chunk at the end of the heap must be larger than twice the smashing-chunk size [Conditions 2 and 3];
-
the free chunk at the end of the heap must be smaller than the memleak-chunk size [Condition 5];
-
when the final heap-stack distance is minimal, the 32KB (STRING_SPRINTF_BUFFER_SIZE) guard-page jump must land below the free chunk at the end of the heap [Condition 2];
-
the free chunks at the end of the 1MB mmap()s must be:
. either smaller than the smashing-chunk [Condition 4];
. or larger than the free chunk at the end of the heap (glibc's malloc() is a best-fit allocator) [Condition 4].
The resulting smashing-chunk and memleak-chunk sizes are:
smash: 10224 memleak: 27656 brk_min: 20464 brk_max: 24552 mmap_top: 25304 probability: 1/16 (0.06190487817)
In theory, the probability of gaining control of eip is 1/21: the product of the 1/16 probability calculated by this helper program (approximately (smashing-chunk / (memleak-chunk + DEFAULT_TOP_PAD))) and the 3/4 probability of reaching the stack with the heap [Condition 1].
In practice, on Debian 8.5, our final Exim exploit:
-
gains eip control in 1 run out of 28, on average;
-
takes 2.5 seconds per run (on a 4GB Virtual Machine);
-
has a good chance of obtaining a root-shell after 28*2.5 = 70 seconds;
-
uses 4GB of memory (2GB in the Exim process, and 2GB in the process fork()ed by system()).
Debian 8.6
Unlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672: after gaining eip control in Step 4a (Smash), the probability of successfully returning-into-libc's system() function is 1/256 (8 bits of entropy -- libraries are randomized in a 1MB range but aligned on 4KB).
Consequently, our final Exim exploit has a good chance of obtaining a root-shell on Debian 8.6 after 256282.5 seconds = 5 hours (256*28=7168 runs).
As we were drafting this advisory, we tried an alternative approach against Exim on Debian 8.6: we discovered that its stack is executable, because it depends on libgnutls-deb0, which depends on libp11-kit, which depends on libffi, which incorrectly requires an executable GNU_STACK (CVE-2017-1000376).
Initially, we discarded this approach because our 1GB of -p argument strings on the stack is not executable (_dl_make_stack_executable() only mprotect()s the stack below argv[] and envp[]):
41e00000-723d7000 rw-p 00000000 00:00 0 [heap] 802f1000-80334000 rwxp 00000000 00:00 0 [stack] 80334000-bfce6000 rw-p 00000000 00:00 0
and because the stack is randomized in an 8MB range but we do not control the contents of any large buffer on the executable stack.
Later, we discovered that two 128KB (MAX_ARG_STRLEN) copies of the LD_PRELOAD environment variable can be allocated onto the executable stack by ld.so's dl_main() and open_path() functions, automatically freed upon return from these functions, and re-allocated (but not overwritten) by Exim's 256KB stack-based group_list[].
In theory, the probability of returning into our shell-code (into these executable copies of LD_PRELOAD) is 1/32 (2128KB/8MB), higher than the 1/256 probability of returning-into-libc. In practice, this alternative Exim exploit has a good chance of obtaining a root-shell after 1174 runs -- instead of 3228=896 runs in theory, because the two 128KB copies of LD_PRELOAD are never perfectly aligned with Exim's 256KB group_list[] -- or 1174*2.5 seconds = 50 minutes.
Debian 9 and 10
Unlike Debian 8, Debian 9 and 10 are not vulnerable to offset2lib, a minor weakness in Linux's ASLR that coincidentally affects Step 1 (Clash) of our stack-clash exploits:
https://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1fd836dcf00d2028c700c7e44d2c23404062c90
If we set RLIMIT_STACK to RLIM_INFINITY, the kernel still switches to the legacy bottom-up mmap() layout, and the libraries are randomized in the 1MB range above the address 0x40000000, but Exim's PIE is randomized in the 1MB range above the address 0x80000000 and the heap is randomized in the 32MB range above the PIE's .bss section. As a result:
-
the heap is always able to reach the stack, because its growth is never blocked by the libraries -- the theoretical probability of gaining eip control is 1/16, the probability calculated by our helper program;
-
the heap clashes with the stack around the address 0xA0000000, because the initial heap-stack distance is 1GB (0xC0000000-0x80000000) and can be covered with 512MB of heap memory and 512MB of stack memory.
Remote exploitation
Exim's string_sprintf() or glibc's vfprintf() can be used to remotely complete Steps 3 and 4 of the stack-clash; and the 256KB group_list[] in Exim's main() naturally consumes the 128KB of initial stack expansion in Step 2; but another 256KB group_list[] in Exim's exim_setugid() further decreases the start address of the stack and prevents us from remotely completing Step 2 and exploiting Exim.
======================================================================== IV.1.2. Sudo ========================================================================
Introduction
We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).
For example, if we execute Sudo through the symlink "./ 1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[].
Next, sudo_ttyname_dev() calls the recursive function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev".
Last, we exploit this recursive function during its traversal of the world-writable "/dev/shm", and allocate hundreds of megabytes of heap memory from the filesystem (directory pathnames) instead of the stack (the command-line arguments and environment variables allocated by our other stack-clash exploits).
Step 1: Clash the stack with the heap
sudo_ttyname_scan() strdup()licates the pathnames of the directories and sub-directories that it traverses, but does not free() them until it returns. Each one of these "memleak-chunks" allocates at most 4KB (PATH_MAX) of heap memory.
Step 2: Move the stack-pointer to the start of the stack
The recursive calls to sudo_ttyname_scan() allocate 4KB (PATH_MAX) stack-frames that naturally consume the 128KB of initial stack expansion.
Step 3: Jump over the stack guard-page and into the heap
If the length of a directory pathname reaches 4KB (PATH_MAX), sudo_ttyname_scan() calls warning(), which calls strerror() and _(), which call gettext() and allow us to jump over the stack guard-page with an alloca() of up to 128KB (the LANGUAGE environment variable), as explained in II.3.3.
Step 4a: Smash the stack with the heap
The self-contained gettext() exploitation method malloc()ates and memcpy()es a "smashing-chunk" of up to 128KB (the OUTPUT_CHARSET environment variable) that smashes memcpy()'s stack-frame and return-address, as explained in II.3.4.
Debian 8.5
Step 1: Clash the stack with the heap
Debian 8.5 is vulnerable to CVE-2016-3672: if we set RLIMIT_STACK to RLIM_INFINITY, the kernel switches to the legacy bottom-up mmap() layout and disables the ASLR of Sudo's PIE and libraries, but still the initial heap-stack distance is randomized and roughly 2GB (0xC0000000-0x40000000 -- the start of the heap is randomized in a 32MB range above 0x40000000, and the end of the stack is randomized in the 8MB range below 0xC0000000).
To reach the start of the stack with the end of the heap, we allocate hundreds of megabytes of heap memory from the filesystem (directory pathnames), and:
-
the heap must be able to reach the stack -- on Debian 8.5, Sudo's libraries occupy about 3MB and hence block the growth of the heap with a probability of 3MB/32MB ~= 1/11;
-
when not blocked by the libraries, the heap must always reach the stack, even when the initial heap-stack distance is maximal (as detailed in IV.1.1.);
-
we cover half of the initial heap-stack distance with 1GB of heap memory (the memleak-chunks, strdup()licated directory pathnames);
-
we cover the other half of this distance with 1GB of stack memory (the maximum permitted by the kernel's 1/4 limit on the argument and environment strings) and thus reduce our on-disk inode usage;
-
we redirect sudo_ttyname_scan()'s traversal of /dev to /var/tmp (through a symlink planted in /dev/shm) to work around the small number of inodes available in /dev/shm.
After the heap reaches the stack and malloc() switches from brk() to mmap()s of 1MB:
-
the size of the free chunk left over at the end of the heap is a random variable in the [0B,4KB] range -- 4KB (PATH_MAX) is the approximate size of a memleak-chunk;
-
the final heap-stack distance (between the end of the heap and the start of the stack) is a random variable in the [8KB,4KB+128KB=132KB] range -- the size of a memleak-chunk plus 128KB (DEFAULT_TOP_PAD);
-
sudo_ttyname_scan() recurses a few more times and therefore allocates more stack memory, but this stack expansion is blocked by the heap and crashes into the stack guard-page after 16 recursions on average (132KB/4KB/2, where 132KB is the maximum final heap-stack distance, and 4KB is the size of sudo_ttyname_scan()'s stack-frame).
To solve this unexpected problem, we:
-
first, redirect sudo_ttyname_scan() to a directory tree "A" in /var/tmp that recurses and allocates stack memory, but does not allocate heap memory (each directory level contains only one entry, the sub-directory that is connected to the next directory level);
-
second, redirect sudo_ttyname_scan() to a directory tree "B" in /var/tmp that recurses and allocates heap memory (each directory level contains many entries), but does not allocate more stack memory (it simply consumes the stack memory that was already allocated by the directory tree "A"): it does not further expand the stack, and does not crash into the guard-page.
Finally, we increase the speed of our exploit and avoid thousands of useless recursions:
-
in each directory level traversed by sudo_ttyname_scan(), we randomly modify the names of its sub-directories until the first call to readdir() returns the only sub-directory that is connected to the next level of the directory tree (all other sub-directories allocate heap memory but are otherwise empty);
-
we dup2() Sudo's stdout and stderr to a pipe with no readers that terminates Sudo with a SIGPIPE if sudo_ttyname_scan() calls warning() and sudo_printf() (a failed exploit attempt, usually because the final heap-stack distance is much longer or shorter than the guard-page jump).
Step 2: Move the stack-pointer to the start of the stack
sudo_ttyname_scan() allocates a 4KB (PATH_MAX) stack-based pathbuf[] that naturally consumes the 128KB of initial stack expansion in fewer than 128KB/4KB=32 recursive calls.
The recursive calls to sudo_ttyname_scan() allocate less than 8MB of stack memory: the maximum number of recursions (PATH_MAX / strlen("/a") = 2K) multiplied by the size of sudo_ttyname_scan()'s stack-frame (4KB).
Step 3: Jump over the stack guard-page and into the heap
The length of the guard-page jump in gettext() is the length of the LANGUAGE environment variable (at most 128KB, MAX_ARG_STRLEN): we take a 64KB jump, well within the range of the final heap-stack distance; this jump then lands into the free chunk at the end of the heap, where the smashing-chunk will be allocated in Step 4a, with a probability of (smashing-chunk / (memleak-chunk + DEFAULT_TOP_PAD)).
If available, we assign "C.UTF-8" to the LC_ALL environment variable, and prepend "be" to our 64KB LANGUAGE environment variable, because these minimal locales do not interfere with our heap feng-shui.
Step 4a: Smash the stack with the heap
In gettext(), the smashing-chunk (a malloc() and memcpy() of the OUTPUT_CHARSET environment variable) must be allocated into the free chunk at the end of the heap, where the stack-frame of memcpy() is also allocated.
First, if the size of our memleak-chunks is exactly 4KB+8B (PATH_MAX+MALLOC_ALIGNMENT), then:
-
the size of the free chunk at the end of the heap is a random variable in the [0B,4KB] range;
-
the size of the free chunks left over at the end of the 1MB mmap()s is roughly 1MB%(4KB+8B)=2KB.
Second, if the size of our smashing-chunk is about 2KB+256B (PATH_MAX/2+NAME_MAX), then:
-
it is always larger than (and never allocated into) the free chunks at the end of the 1MB mmap()s;
-
it is smaller than (and allocated into) the free chunk at the end of the heap with a probability of roughly 1-(2KB+256B)/4KB.
Last, in each level of our directory tree "B", sudo_ttyname_scan() malloc()ates and realloc()ates an array of pointers to sub-directories, but these realloc()s prevent the smashing-chunk from being allocated into the free chunk at the end of the heap:
-
they create holes in the heap, where the smashing-chunk may be allocated to;
-
they may allocate the free chunk at the end of the heap, where the smashing-chunk should be allocated to.
To solve these problems, we carefully calculate the number of sub-directories in each level of our directory tree "B":
- we limit the size of the realloc()s -- and hence the size of the holes that they create -- to 4KB+2KB:
. either a memleak-chunk is allocated into such a hole, and the remainder is smaller than the smashing-chunk ("not a fit");
. or such a hole is not allocated, but it is larger than the largest free chunk at the end of the heap ("a worse fit");
- we gradually reduce the final size of the realloc()s in the last levels of our directory tree "B", and hence re-allocate the holes created in the previous levels.
In theory, on Debian 8.5, the probability of gaining control of eip is approximately 1/148, the product of:
-
(Step 1) the probability of reaching the stack with the heap: 1-3MB/32MB;
-
(Step 3) the probability of jumping over the stack guard-page and into the free chunk at the end of the heap: (2KB+256B) / (4KB+8B + 128KB);
-
(Step 4a) the probability of allocating the smashing-chunk into the free chunk at the end of the heap: 1-(2KB+256B)/4KB.
In practice, on Debian 8.5, this Sudo exploit:
-
gains eip control in 1 run out of 200, on average;
-
takes 2.8 seconds per run (on a 4GB Virtual Machine);
-
has a good chance of obtaining a root-shell after 200 * 2.8 seconds = 9 minutes;
-
uses 2GB of memory.
Note: we do not return-into-libc's system() in Step 4a because /bin/sh may be bash, which drops our escalated root privileges upon execution. Instead, we:
-
either return-into-libc's __gconv_find_shlib() function through find_module(), which loads this function's argument from -0x20(%ebp);
-
or return-into-libc's __libc_dlopen_mode() function through nss_load_library(), which loads this function's argument from -0x1c(%ebp);
-
search the libc for a relative pathname that contains a slash character (for example, "./fork.c") and pass its address to __gconv_find_shlib() or __libc_dlopen_mode();
-
symlink() our PIE exploit to this pathname, and let Sudo execute our _init() constructor as root, upon successful exploitation.
Debian 8.6
Unlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672: Sudo's PIE and libraries are always randomized, even if we set RLIMIT_STACK to RLIM_INFINITY; the probability of successfully returning-into-libc, after gaining eip control in Step 4a (Smash), is 1/256.
However, Debian 8.6 is still vulnerable to offset2lib, the minor weakness in Linux's ASLR that coincidentally affects Step 1 (Clash) of our stack-clash exploits:
-
if we set RLIMIT_STACK to 136MB (MIN_GAP) or less (the default is 8MB), then the initial heap-stack distance (between the start of the heap and the end of the stack) is minimal, a random variable in the [96MB,137MB] range;
-
instead of allocating 1GB of heap memory and 1GB of stack memory to clash the stack with the heap, we merely allocate 137MB of heap memory (directory pathnames from our directory tree "B") and no stack memory.
In theory, on Debian 8.6, the probability of gaining eip control is 1/134 (instead of 1/148 on Debian 8.5) because the growth of the heap is never blocked by Sudo's libraries; and in practice, this Sudo exploit takes only 0.15 second per run (instead of 2.8 on Debian 8.5).
Independent exploitation
The vulnerability that we discovered in Sudo's get_process_ttyname() function for Linux (CVE-2017-1000367) is exploitable independently of its stack-clash repercussions: through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem.
On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with this command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr.
To exploit this vulnerability, we:
-
create a directory "/dev/shm/_tmp" (to work around /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty" to a non-existent pty "/dev/pts/57", whose device number is 34873;
-
run Sudo through a symlink "/dev/shm/_tmp/ 34873 " that spoofs the device number of this non-existent pty;
-
set the flag CD_RBAC_ENABLED through the command-line option "-r role" (where "role" can be our current role, for example "unconfined_r");
-
monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event) and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot find our non-existent pty in "/dev/pts/");
-
SIGSTOP Sudo, call openpty() until it creates our non-existent pty, and SIGCONT Sudo;
-
monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify event) and wait until Sudo closedir()s it;
-
SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our now-existent pty with a symlink to the file that we want to overwrite (for example "/etc/passwd"), and SIGCONT Sudo;
-
control the output of the command executed by Sudo (the output that overwrites "/etc/passwd"):
. either through a command-specific method;
. or through a general method such as "--\nHELLO\nWORLD\n" (by default, getopt() prints an error message to stderr if it does not recognize an option character).
To reliably win the two SIGSTOP races, we preempt the Sudo process: we setpriority() it to the lowest priority, sched_setscheduler() it to SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit.
[john@localhost ~]$ head -n 8 /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
[john@localhost ~]$ sudo -l [sudo] password for john: ... User john may run the following commands on localhost: (ALL) /usr/bin/sum
[john@localhost ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n' [sudo] password for john:
[john@localhost ~]$ head -n 8 /etc/passwd /usr/bin/sum: unrecognized option '-- HELLO WORLD ' Try '/usr/bin/sum --help' for more information. ogin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
======================================================================== IV.1.3. ld.so "hwcap" exploit ========================================================================
"ld.so and ld-linux.so* find and load the shared libraries needed by a program, prepare the program to run, and then run it." (man ld.so)
Through ld.so, most SUID and SGID binaries on most i386 Linux distributions are exploitable. For example: Debian 7, 8, 9, 10; Fedora 23, 24, 25; CentOS 5, 6, 7.
Debian 8.5
Step 1: Clash the stack with anonymous mmap()s
The minimal malloc() implementation in ld.so calls mmap(), not brk(), to obtain memory from the system, and it never calls munmap(). To reach the start of the stack with anonymous mmap()s, we:
-
set RLIMIT_STACK to RLIM_INFINITY and switch from the default top-down mmap() layout to the legacy bottom-up mmap() layout;
-
cover half of the initial mmap-stack distance (0xC0000000-0x40000000=2GB) with 1GB of stack memory (the maximum permitted by the kernel's 1/4 limit on the argument and environment strings);
-
cover the other half of this distance with 1GB of anonymous mmap()s, through multiple LD_AUDIT environment variables that permanently leak millions of audit_list structures (CVE-2017-1000366) in process_envvars() and process_dl_audit() (elf/rtld.c).
Step 2: Move the stack-pointer to the start of the stack
To consume the 128KB of initial stack expansion, we simply pass 128KB of argv[] and envp[] pointers to execve(), as explained in II.3.2.
Step 3: Jump over the stack guard-page and into the anonymous mmap()s
_dl_init_paths() (elf/dl-load.c), which is called by dl_main() after process_envvars(), alloca()tes llp_tmp, a stack-based buffer large enough to hold the LD_LIBRARY_PATH environment variable and any combination of Dynamic String Token (DST) replacement strings. To calculate the size of llp_tmp, _dl_init_paths() must:
-
first, scan LD_LIBRARY_PATH and count all DSTs ($LIB, $PLATFORM, and $ORIGIN);
-
second, multiply the number of DSTs by the length of the longest DST replacement string (on Debian, $LIB is replaced by the 18-char-long "lib/i386-linux-gnu", $PLATFORM by "i386" or "i686", and $ORIGIN by the pathname of the program's directory, for example "/bin" or "/usr/sbin" -- the longest DST replacement string is usually "lib/i386-linux-gnu");
-
last, add the length of the original LD_LIBRARY_PATH.
Consequently, if LD_LIBRARY_PATH contains many DSTs that are replaced by the shortest DST replacement string, then llp_tmp is large but not fully written to, and can be used to jump over the stack guard-page and into the anonymous mmap()s.
Our ld.so exploits do not use $ORIGIN because it is ignored by several distributions and glibc versions; for example:
2010-12-09 Andreas Schwab schwab@redhat.com
* elf/dl-object.c (_dl_new_object): Ignore origin of privileged
program.
Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
--- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c @@ -214,6 +214,9 @@ _dl_new_object (char realname, const ch out: new->l_origin = origin; } + else if (INTUSE(__libc_enable_secure) && type == lt_executable) + / The origin of a privileged program cannot be trusted. / + new->l_origin = (char ) -1;
return new; }
Step 4b: Smash an anonymous mmap() with the stack
Before _dl_init_paths() returns to dl_main() and jumps back from the anonymous mmap()s into the stack, we overwrite the block of mmap()ed memory malloc()ated by _dl_important_hwcaps() with the contents of the stack-based buffer llp_tmp.
- The block of memory malloc()ated by _dl_important_hwcaps() is divided in two:
. The first part (the "hwcap-pointers") is an array of r_strlenpair structures that point to the hardware-capability strings stored in the second part of this memory block. The second part (the "hwcap-strings") contains strings of hardware-capabilities that are appended to the pathnames of trusted directories, such as "/lib/" and "/lib/i386-linux-gnu/", when open_path() searches for audit libraries (LD_AUDIT), preload libraries (LD_PRELOAD), or dependent libraries (DT_NEEDED).
For example, on Debian, when open_path() finds "libc.so.6" in
"/lib/i386-linux-gnu/i686/cmov/", "i686/cmov/" is such a
hardware-capability string.
- To overwrite the block of memory malloc()ated by _dl_important_hwcaps() with the contents of the stack-based buffer llp_tmp, we divide our LD_LIBRARY_PATH environment variable in two:
. The first, static part (our "good-write") overwrites the first hardware-capability string with characters that we do control. The second, dynamic part (our "bad-write") overwrites the last hardware-capability strings with characters that we do not control (the short DST replacement strings that enlarge llp_tmp and allow us to jump over the stack guard-page).
If our 16-byte-aligned good-write overwrites the 8-byte-aligned first hardware-capability string with the 8-byte pattern "/../tmp/", and if we append the trusted directory "/lib" to our LD_LIBRARY_PATH, then (after _dl_init_paths() returns to dl_main()):
-
dlmopen_doit() tries to load an LD_AUDIT library "a" (our memory leak from Step 1);
-
_dl_map_object() searches for "a" in the trusted directory "/lib" from our LD_LIBRARY_PATH;
-
open_path() finds our library "a" in "/lib//../tmp//../tmp//../tmp/" because we overwrote the first hardware-capability string with the pattern "/../tmp/";
-
dl_open_worker() executes our library's _init() constructor, as root.
In theory, this exploit's probability of success depends on:
- (event A) the size of rtld_search_dirs.dirs[0], an array of r_search_path_elem structures that are malloc()ated by _dl_init_paths() after the _dl_important_hwcaps(), and must be allocated above the stack (below 0xC0000000), not below the stack where it would interfere with Steps 3 (Jump) and 4b (Smash):
P(A) = 1 - size of rtld_search_dirs.dirs[0] / max stack randomization
- (event B) the size of the hwcap-pointers and the size of our good-write, which must overwrite the first hardware-capability string, but not the first hardware-capability pointer (to this string):
P(B|A) = MIN(size of hwcap-pointers, size of good-write) / (max stack randomization - size of rtld_search_dirs.dirs[0])
- (event C) the size of the hwcap-strings and the size of our bad-write, which must not write past the end of hwcap-strings; but we guarantee that size of hwcap-strings >= size of good-write + size of bad-write:
P(C|B) = 1
In practice, we use the LD_HWCAP_MASK environment variable to maximize this exploit's probability of success, because:
-
the size of the hwcap-pointers -- which act as a cushion that absorbs the excess of good-write without crashing,
-
the size of the hwcap-strings -- which act as a cushion that absorbs the excess of good-write and bad-write without crashing,
-
and the size of rtld_search_dirs.dirs[0],
are all proportional to 2^N, where N is the number of supported hardware-capabilities that we enable in LD_HWCAP_MASK.
For example, on Debian 8.5, this exploit:
-
has a 1/151 probability of success;
-
takes 5.5 seconds per run (on a 4GB Virtual Machine);
-
has a good chance of obtaining a root-shell after 151 * 5.5 seconds = 14 minutes.
Debian 8.6
Unlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672, but our ld.so "hwcap" exploit is a data-only attack and is not affected by the ASLR of the libraries and PIEs.
Debian 9 and 10
Unlike Debian 8, Debian 9 and 10 are not vulnerable to offset2lib: if we set RLIMIT_STACK to RLIM_INFINITY, the libraries are randomized above the address 0x40000000, but the PIE is randomized above 0x80000000 (instead of 0x40000000 before the offset2lib patch).
Unfortunately, we discovered a vulnerability in the offset2lib patch (CVE-2017-1000370): if the PIE is execve()d with 1GB of argument or environment strings (the maximum permitted by the kernel's 1/4 limit) then the stack occupies the address 0x80000000, and the PIE is mapped above the address 0x40000000 instead, directly below the libraries. This vulnerability effectively nullifies the offset2lib patch, and allows us to reuse our Debian 8 exploit against Debian 9 and 10.
$ ./Linux_offset2lib Run #1... CVE-2017-1000370 triggered 40076000-40078000 r-xp 00000000 00:26 25041 /tmp/Linux_offset2lib 40078000-40079000 r--p 00001000 00:26 25041 /tmp/Linux_offset2lib 40079000-4009b000 rw-p 00002000 00:26 25041 /tmp/Linux_offset2lib 4009b000-400c0000 r-xp 00000000 fd:00 8463588 /usr/lib/ld-2.24.so 400c0000-400c1000 r--p 00024000 fd:00 8463588 /usr/lib/ld-2.24.so 400c1000-400c2000 rw-p 00025000 fd:00 8463588 /usr/lib/ld-2.24.so 400c2000-400c4000 r--p 00000000 00:00 0 [vvar] 400c4000-400c6000 r-xp 00000000 00:00 0 [vdso] 400c6000-400c8000 rw-p 00000000 00:00 0 400cf000-402a3000 r-xp 00000000 fd:00 8463595 /usr/lib/libc-2.24.so 402a3000-402a4000 ---p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so 402a4000-402a6000 r--p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so 402a6000-402a7000 rw-p 001d6000 fd:00 8463595 /usr/lib/libc-2.24.so 402a7000-402aa000 rw-p 00000000 00:00 0 7fcf1000-bfcf2000 rw-p 00000000 00:00 0 [stack]
Caveats
- On Fedora and CentOS, this ld.so "hwcap" exploit fails against /usr/bin/passwd and /usr/bin/chage (but it works against all other SUID-root binaries) because of SELinux:
type=AVC msg=audit(1492091008.983:414): avc: denied { execute } for pid=2169 comm="passwd" path="/var/tmp/a" dev="dm-0" ino=12828063 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1492092997.581:487): avc: denied { execute } for pid=2648 comm="chage" path="/var/tmp/a" dev="dm-0" ino=12828063 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
- It fails against recent versions of Sudo that specify an RPATH such as "/usr/lib/sudo": _dl_map_object() first searches for our LD_AUDIT library in RPATH, but open_path() fails to find our library in "/usr/lib/sudo//../tmp/" and crashes as soon as it reaches an overwritten hwcap-pointer.
This problem can be solved by a 16-byte pattern "///../../../tmp/" (instead of the 8-byte pattern "/../tmp/") but the exploit's probability of success would be divided by two.
- On Ubuntu, this ld.so "hwcap" exploit always fails, because of the following patch:
Description: pro-actively disable LD_AUDIT for setuid binaries, regardless of where the libraries are loaded from. This is to try to make sure that CVE-2010-3856 cannot sneak back in. Upstream is unlikely to take this, since it limits the functionality of LD_AUDIT. Author: Kees Cook kees@ubuntu.com
Index: eglibc-2.15/elf/rtld.c
--- eglibc-2.15.orig/elf/rtld.c 2012-05-09 10:05:29.456899131 -0700 +++ eglibc-2.15/elf/rtld.c 2012-05-09 10:38:53.952009069 -0700 @@ -2529,7 +2529,7 @@ while ((p = (strsep) (&str, ":")) != NULL) if (p[0] != '\0' && (__builtin_expect (! __libc_enable_secure, 1) - || strchr (p, '/') == NULL)) + )) { / This is using the local malloc, not the system malloc. The memory can never be freed. /
======================================================================== IV.1.4. ld.so ".dynamic" exploit ========================================================================
To exploit ld.so without the LD_AUDIT memory leak, we rely on a second vulnerability that we discovered in the offset2lib patch (CVE-2017-1000371):
if we set RLIMIT_STACK to RLIM_INFINITY, and allocate nearly 1GB of stack memory (the maximum permitted by the kernel's 1/4 limit on the argument and environment strings) then the stack grows down to almost 0x80000000, and because the PIE is mapped above 0x80000000, the minimum distance between the end of the PIE's read-write segment and the start of the stack is 4KB (the stack guard-page).
$ ./Linux_offset2lib 0x3f800000 Run #1... Run #2... Run #3... Run #796... Run #797... Run #798... CVE-2017-1000371 triggered 4007b000-400a0000 r-xp 00000000 fd:00 8463588 /usr/lib/ld-2.24.so 400a0000-400a1000 r--p 00024000 fd:00 8463588 /usr/lib/ld-2.24.so 400a1000-400a2000 rw-p 00025000 fd:00 8463588 /usr/lib/ld-2.24.so 400a2000-400a4000 r--p 00000000 00:00 0 [vvar] 400a4000-400a6000 r-xp 00000000 00:00 0 [vdso] 400a6000-400a8000 rw-p 00000000 00:00 0 400af000-40283000 r-xp 00000000 fd:00 8463595 /usr/lib/libc-2.24.so 40283000-40284000 ---p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so 40284000-40286000 r--p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so 40286000-40287000 rw-p 001d6000 fd:00 8463595 /usr/lib/libc-2.24.so 40287000-4028a000 rw-p 00000000 00:00 0 8000a000-8000c000 r-xp 00000000 00:26 25041 /tmp/Linux_offset2lib 8000c000-8000d000 r--p 00001000 00:26 25041 /tmp/Linux_offset2lib 8000d000-8002f000 rw-p 00002000 00:26 25041 /tmp/Linux_offset2lib 80030000-bf831000 rw-p 00000000 00:00 0 [heap]
Note: in this example, the "[stack]" is incorrectly displayed as the "[heap]" by show_map_vma() (in fs/proc/task_mmu.c).
This completes Step 1: we clash the stack with the PIE's read-write segment; we complete the remaining steps as in the "hwcap" exploit:
-
Step 2: we consume the initial stack expansion with 128KB of argv[] and envp[] pointers;
-
Step 3: we jump over the stack guard-page and into the PIE's read-write segment with llp_tmp's alloca() (in _dl_init_paths());
-
Step 4b: we smash the PIE's read-write segment with llp_tmp's good-write and bad-write (in _dl_init_paths()); we can smash the following sections:
-
.data and .bss: but we discarded this application-specific approach;
-
.got: although protected by Full RELRO (Full RELocate Read-Only, GNU_RELRO and BIND_NOW) the .got is still writable when we smash it in _dl_init_paths(); however, within ld.so, the .got is written to but never read from, and we therefore discarded this approach;
-
.dynamic: our favored approach.
On i386, the .dynamic section is an array of Elf32_Dyn structures (an int32 d_tag, and the union of uint32 d_val and uint32 d_ptr) that contains entries such as:
-
DT_STRTAB, a pointer to the PIE's .dynstr section (a read-only string table): its d_tag (DT_STRTAB) is read (by elf_get_dynamic_info()) before we smash it in _dl_init_paths(), but its d_ptr is read (by _dl_map_object_deps()) after we smash it in _dl_init_paths();
-
DT_NEEDED, an offset into the .dynstr section: the pathname of a dependent library that must be loaded by _dl_map_object_deps().
If we overwrite the entire .dynamic section with the following 8-byte pattern (an Elf32_Dyn structure):
-
a DT_NEEDED d_tag,
-
a d_val equal to half the address of our own string table on the stack (16MB of argument strings, enough to defeat the 8MB stack randomization),
then _dl_map_object_deps() reads the pathname of this dependent library from DT_STRTAB.d_ptr + DT_NEEDED.d_val = our_strtab/2 + our_strtab/2 = our_strtab, and loads our own library, as root. This 8-byte pattern is simple, but poses two problems:
-
DT_NEEDED is an int32 equal to 1, but we smash the .dynamic section with a string copy that cannot contain null-bytes: to solve this first problem we use DT_AUXILIARY instead, which is equivalent but equal to 0x7ffffffd;
-
ld.so crashes before it returns from dl_main() (before it calls _dl_init() and executes our library's _init() constructor):
. in _dl_map_object_deps() because of our DT_AUXILIARY entry;
. in version_check_doit() because we overwrote the DT_VERNEED entry;
. in _dl_relocate_object() because we overwrote the DT_REL, DT_RELSZ, and DT_RELCOUNT entries.
To solve this second problem, we could overwrite the .dynamic section with a more complicated pattern that repairs these entries, but our exploit's probability of success would decrease significantly.
Instead, we take control of ld.so's execution flow as soon as _dl_map_object_deps() loads our library:
-
our library contains three executable LOAD segments,
-
but only the first and last segments are sanity-checked by _dl_map_object_from_fd() and _dl_map_segments(),
-
and all segments except the first are mmap()ed with MAP_FIXED by _dl_map_segments(),
-
so we can mmap() our second segment anywhere -- we mmap() it on top of ld.so's executable segment,
-
and return into our own code (instead of ld.so's) as soon as this second mmap() system-call returns.
Probabilities
The "hwcap" exploit taught us that this ".dynamic" exploit's probability of success depends on:
-
the size of the cushion below the .dynamic section, which can absorb the excess of "good-write" without crashing: the padding bytes between the start of the PIE's read-write segment and the start of its first read-write section;
-
the size of the cushion above the .dynamic section, which can absorb the excess of "good-write" and "bad-write" without crashing: the .got, .data, and .bss sections.
If we guarantee that (cushion above .dynamic > good-write + bad-write), then the theoretical probability of success is approximately:
MIN(cushion below .dynamic, good-write) / max stack randomization
The maximum size of the cushion below the .dynamic section is 4KB (one page) and hence the maximum probability of success is 4KB/8MB=1/2048. In practice, on Ubuntu 16.04.2:
-
the highest probability is 1/2589 (/bin/su) and the lowest probability is 1/9225 (/usr/lib/eject/dmcrypt-get-device);
-
each run uses 1GB of memory and takes 1.5 seconds (on a 4GB Virtual Machine);
-
this ld.so ".dynamic" exploit has a good chance of obtaining a root-shell after 2589 * 1.5 seconds ~= 1 hour.
======================================================================== IV.1.5. /bin/su ========================================================================
As we were drafting this advisory, we discovered a general method for completing Step 1 (Clash) of the stack-clash exploitation: the Linux kernel limits the size of the command-line arguments and environment variables to 1/4 of the RLIMIT_STACK, but it imposes this limit on the argument and environment strings, not on the argv[] and envp[] pointers to these strings (CVE-2017-1000365).
On i386, if we set RLIMIT_STACK to RLIM_INFINITY, the maximum number of argv[] and envp[] pointers is 1G (1/4 of the RLIMIT_STACK, divided by 1B, the minimum size of an argument or environment string). In theory, the maximum size of the initial stack is therefore 1G*(1B+4B)=5GB. In practice, this would exhaust the address-space and allows us to clash the stack with the memory region that is mapped below, without an application-specific memory leak.
This discovery allowed us to write alternative versions of our stack-clash exploits; for example:
-
an ld.so "hwcap" exploit against Ubuntu: we replace the LD_AUDIT memory leak with 2GB of stack memory (1GB of argument and environment strings, and 1GB of argv[] and envp[] pointers) and replace the LD_AUDIT library with an LD_PRELOAD library;
-
an ld.so ".dynamic" exploit against systems vulnerable to offset2lib: we reach the end of the PIE's read-write segment with only 128MB of stack memory (argument and environment strings and pointers).
These proofs-of-concept demonstrate a general method for completing Step 1 (Clash), but they are much slower than their original versions (10-20 seconds per run) because they pass millions of argv[] and envp[] pointers to execve().
Moreover, this discovery allowed us to exploit SUID binaries through general methods that do not depend on application-specific or ld.so vulnerabilities; if a SUID binary calls setlocale(LC_ALL, ""); and gettext() (or a derivative such as strerror() or _()), then it is exploitable:
-
Step 1: we clash the stack with the heap through millions of argument and environment strings and pointers;
-
Step 2: we consume the initial stack expansion with 128KB of argument and environment pointers;
-
Step 3: we jump over the stack guard-page and into the heap with the alloca()tion of the LANGUAGE environment variable in gettext();
-
Step 4a: we smash the stack with the malloc()ation of the OUTPUT_CHARSET environment variable in gettext() and thus gain control of eip.
For example, we exploited Debian's /bin/su (from the shadow-utils): its main() function calls setlocale() and save_caller_context(), which calls gettext() (through _()) if its stdin is not a tty.
Debian 8.5
Debian 8.5 is vulnerable to CVE-2016-3672: we set RLIMIT_STACK to RLIM_INFINITY and disable ASLR, clash the stack with the heap through 2GB of argument and environment strings and pointers (1GB of strings, 1GB of pointers), and return-into-libc's system() or __libc_dlopen():
-
the system() version uses 4GB of memory (2GB in the /bin/su process, and 2GB in the process fork()ed by system());
-
the __libc_dlopen() version uses only 2GB of memory, but ebp must point to our smashed data on the stack.
Debian 8.6
Debian 8.6 is vulnerable to offset2lib but not to CVE-2016-3672: we must brute-force the libc's ASLR (8 bits of entropy), but we clash the stack with the heap through only 128MB of argument and environment strings and pointers -- this /bin/su exploit can be parallelized.
======================================================================== IV.1.6. Grsecurity/PaX ========================================================================
https://grsecurity.net/
In 2010, grsecurity/PaX introduced a configurable stack guard-page: its size can be modified through /proc/sys/vm/heap_stack_gap and is 64KB by default (unlike the hard-coded 4KB stack guard-page in the vanilla kernel).
Unfortunately, a 64KB stack guard-page is not large enough, and can be jumped over with ld.so or gettext() (CVE-2017-1000377); for example, we were able to gain eip control against Sudo, but we were unable to obtain a root-shell or gain eip control against another application, because grsecurity/PaX imposes the following security measures:
-
it restricts the RLIMIT_STACK of SUID binaries to 8MB, which prevents us from switching to the legacy bottom-up mmap() layout (Step 1);
-
it restricts the argument and environment strings to 512KB, which prevents us from clashing the stack through megabytes of command-line arguments and environment variables (Step 1);
-
it randomizes the PIE and libraries with 16 bits of entropy (instead of 8 bits in vanilla), which prevents us from brute-forcing the ASLR and returning-into-libc (Step 4a);
-
it implements /proc/sys/kernel/grsecurity/deter_bruteforce (enabled by default), which limits the number of SUID crashes to 1 every 15 minutes (all Steps) and makes exploitation impossible.
Sudo
The vulnerability that we discovered in Sudo's get_process_ttyname() (CVE-2017-1000367) allows us to:
-
Step 1: clash the stack with 3GB of heap memory from the filesystem (directory pathnames) and bypass grsecurity/PaX's 512KB limit on the argument and environment strings;
-
Step 2: consume the 128KB of initial stack expansion with 3MB of recursive function calls and avoid grsecurity/PaX's 8MB restriction on the RLIMIT_STACK;
-
Step 3: jump over grsecurity/PaX's 64KB stack guard-page with a 128KB (MAX_ARG_STRLEN) alloca()tion of the LANGUAGE environment variable in gettext();
-
Step 4a: smash the stack with a 128KB (MAX_ARG_STRLEN) malloc()ation of the OUTPUT_CHARSET environment variable in gettext() -- the "smashing-chunk" -- and thus gain control of eip.
In Step 1, we nearly exhaust the address-space until finally malloc() switches from brk() to 1MB mmap()s and reaches the start of the stack with the very last 1MB mmap() that we allocate. The exact amount of memory that we must allocate to reach the stack with our last 1MB mmap() depends on the sum of three random variables: the 256MB randomization of the stack, the 64MB randomization of the heap, and the 1MB randomization of the NULL region.
To maximize the probability of jumping over the stack guard-page, into our last 1MB mmap() below the stack, and overwriting a return-address on the stack with our smashing-chunk:
-
(Step 1) we must allocate the mean amount of memory to reach the stack with our last 1MB mmap(): the sum of three uniform random variables is not uniform (https://en.wikipedia.org/wiki/Irwin-Hall_distribution), but the values within the 256MB-64MB-1MB=191MB plateau at the center of this bell-shaped probability distribution occur with a uniform and maximum probability of (1MB64MB)/(1MB64MB*256MB)=1/256MB;
-
(Step 1) the end of our last 1MB mmap() must be allocated at a distance within [stack guard-page (64KB), guard-page jump (128KB)] below the start of the stack: the guard-page jump (Step 3) then lands at a distance d within [0, guard-page jump - stack guard-page (64KB)] below the end of our last 1MB mmap();
-
(Step 4a) the end of our smashing-chunk must be allocated at the end of our last 1MB mmap(), above the landing-point of the guard-page jump: our smashing-chunk then overwrites a return-address on the stack, below the landing-point of the guard-page jump.
In theory, this probability is roughly:
SUM(d = 1; d < guard-page jump - stack guard-page; d++) d / (256MB*1MB)
~= ((guard-page jump - stack guard-page)^2 / 2) / (256MB*1MB)
~= 1 / 2^17
In practice, we tested this Sudo proof-of-concept on an i386 Debian 8.6 protected by the linux-grsec package from the jessie-backports, but we manually disabled /proc/sys/kernel/grsecurity/deter_bruteforce:
-
it uses 3GB of memory, and 800K on-disk inodes;
-
it takes 5.5 seconds per run (on a 4GB Virtual Machine);
-
it has a good chance of gaining eip control after 2^17 * 5.5 seconds = 200 hours; in our test:
PAX: From 192.168.56.1: execution attempt in: , 1b068000-a100d000 1b068000 PAX: terminating task: /usr/bin/sudo( 1 ):25465, uid/euid: 1000/0, PC: 41414141, SP: b8844f30 PAX: bytes at PC: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 PAX: bytes at SP-4: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
However, brute-forcing the ASLR to obtain a root-shell would take ~1500 years and makes exploitation impossible.
Moreover, if we enable /proc/sys/kernel/grsecurity/deter_bruteforce, gaining eip control would take ~1365 days, and obtaining a root-shell would take thousands of years.
======================================================================== IV.1.7. 64-bit exploitation ========================================================================
Introduction
The address-space of a 64-bit process is so vast that we initially thought it was impossible to clash the stack with another memory region; we were wrong.
Linux's execve() first randomizes the end of the mmap region (which grows top-down by default) and then randomizes the end of the stack region (which grows down, on x86). On amd64, the initial mmap-stack distance (between the end of the mmap region and the end of the stack region) is minimal when RLIMIT_STACK is lower than or equal to MIN_GAP (mmap_base() in arch/x86/mm/mmap.c), and then:
- the end of the mmap region is equal to (as calculated by arch_pick_mmap_layout() in arch/x86/mm/mmap.c):
mmap_end = TASK_SIZE - MIN_GAP - arch_mmap_rnd()
where:
. TASK_SIZE is the highest address of the user-space (0x7ffffffff000)
. MIN_GAP = 128MB + stack_maxrandom_size()
. stack_maxrandom_size() is ~16GB (or ~4GB if the kernel is vulnerable to CVE-2015-1593, but we do not consider this case here)
. arch_mmap_rnd() is a random variable in the [0B,1TB] range
- the end of the stack region is equal to (as calculated by randomize_stack_top() in fs/binfmt_elf.c):
stack_end = TASK_SIZE - "stack_rand"
where:
. "stack_rand" is a random variable in the [0, stack_maxrandom_size()] range
- the initial mmap-stack distance is therefore equal to:
stack_end - mmap_end = MIN_GAP + arch_mmap_rnd() - "stack_rand"
= 128MB + stack_maxrandom_size() - "stack_rand" + arch_mmap_rnd()
= 128MB + StackRand + MmapRand
where:
. StackRand = stack_maxrandom_size() - "stack_rand", a random variable in the [0B,16GB] range
. MmapRand = arch_mmap_rnd(), a random variable in the [0B,1TB] range
Consequently, the minimum initial mmap-stack distance is only 128MB (CVE-2017-1000379), and:
-
On kernels vulnerable to offset2lib, the heap of a PIE (which is mapped at the end of the mmap region) is mapped below and close to the stack with a good probability (~1/700). We can therefore clash the stack with the heap in Step 1, jump over the stack guard-page and into the heap in Step 3, and smash the stack with the heap and gain control of rip in Step 4a (after 6 hours on average). However, because the addresses of all executable regions contain null-bytes, and because most of our stack-smashes in Step 4a are string operations (except the getaddrinfo() method), we were unable to transform such a rip control into arbitrary code execution.
-
On all kernels, either a PIE or ld.so is mapped directly below the stack with a good probability (~1/17000) -- the end of the PIE's or ld.so's read-write segment is then equal to the start of the stack guard-page. We can therefore adapt our ld.so "hwcap" exploit to amd64 and obtain root privileges through most SUID binaries on most Linux distributions (after 5 hours on average).
Kernels vulnerable to offset2lib, local Exim proof-of-concept
Exim's binary is usually a PIE, mapped at the end of the mmap region; and the heap, which always grows up and is randomized above the end of the binary, is therefore randomized above the end of the mmap region (arch_randomize_brk() in arch/x86/kernel/process.c):
heap_start = mmap_end + "heap_rand"
where "heap_rand" is a random variable in the [0B,32MB] range (negligible and ignored here). For example, on Debian 8.5:
cat /proc/"pidof -s /usr/sbin/exim4"/maps
... 7fa6410d6000-7fa6411c8000 r-xp 00000000 08:01 14574 /usr/sbin/exim4 7fa6413b4000-7fa6413bd000 rw-p 00000000 00:00 0 7fa6413c5000-7fa6413c7000 rw-p 00000000 00:00 0 7fa6413c7000-7fa6413c9000 r--p 000f1000 08:01 14574 /usr/sbin/exim4 7fa6413c9000-7fa6413d2000 rw-p 000f3000 08:01 14574 /usr/sbin/exim4 7fa6413d2000-7fa6413d7000 rw-p 00000000 00:00 0 7fa641b34000-7fa641b76000 rw-p 00000000 00:00 0 [heap] 7ffdf3e53000-7ffdf3ed6000 rw-p 00000000 00:00 0 [stack] 7ffdf3f3c000-7ffdf3f3e000 r-xp 00000000 00:00 0 [vdso] 7ffdf3f3e000-7ffdf3f40000 r--p 00000000 00:00 0 [vvar] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
To reach the start of the stack with the end of the heap (through the -p memory leak in Exim) in Step 1 of our stack-clash, we must minimize the initial heap-stack distance, and hence the initial mmap-stack distance, and set RLIMIT_STACK to MIN_GAP (~16GB). This limits the size of our -p argument strings on the stack to 16GB/4=4GB, and because we then leak the same amount of heap memory through -p, the initial heap-stack distance must be:
-
longer than 4GB (the stack must be able to contain the -p argument strings);
-
shorter than 8GB (the end of the heap must be able to reach the start of the stack during the -p memory leak).
The initial heap-stack distance (approximately the initial mmap-stack distance, 128MB + StackRand + MmapRand, but we ignore the 128MB term here) follows a trapezoidal Irwin-Hall distribution, and the [4GB,8GB] range is within the first non-uniform area of this trapezoid, so the probability that the initial heap-stack distance is in this range is:
SUM(d = 4GB; d < 8GB; d++) d / (16GB * 1TB)
= SUM(d = 0; d < 4GB; d++) (4GB + d) / (16GB * 1TB)
= SUM(d = 0; d < 2^32; d++) (2^32 + d) / (2^34 * 2^40)
~= ((2^32)(2^32) + (2^32)(2^32) / 2) / (2^74)
~= 3 / 2^11
~= 1 / 682
The probability of gaining rip control after the heap reaches the stack is ~1/16 (as calculated by a 64-bit version of the small helper program presented in IV.1.1.), and the final probability of gaining rip control with our local Exim proof-of-concept is:
(3 / 2^11) * (1/16) ~= 1 / 10922
On our 8GB Debian 8.7 test machine, this proof-of-concept takes roughly 2 seconds per run, and has a good chance of gaining rip control after 10922 * 2 seconds ~= 6 hours:
gdb /usr/sbin/exim4 core.6049
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 ... This GDB was configured as "x86_64-linux-gnu". Core was generated by `/usr/sbin/exim4 -p0000000000000000000000000000000000000000000000000000000000000'. Program terminated with signal SIGSEGV, Segmentation fault.
0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:41
41 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. (gdb) x/i $rip => 0x7ffab1be7061 <__memcpy_sse2_unaligned+65>: retq (gdb) x/xg $rsp 0x7ffb9b294a48: 0x4141414141414141
Kernels vulnerable to offset2lib, ld.so ".dynamic" exploit
Since kernels vulnerable to offset2lib map PIEs below and close to the stack, we tried to adapt our ld.so ".dynamic" exploit to amd64. MIN_GAP guarantees a minimum distance of 128MB between the theoretical end of the mmap region and the end of the stack, but the stack then grows down to store the argument and environment strings, and may therefore occupy the theoretical end of the mmap region (where nothing has been mapped yet). Consequently, the end of the mmap region (where the PIE will be mapped) slides down to the first available address, directly below the stack guard-page and the initial stack expansion (described in II.3.2.):
7ffbb7e51000-7ffbb7e53000 r-xp 00000000 fd:03 4465810 /tmp/test64 ... 7ffbb8053000-7ffbb808c000 rw-p 00002000 fd:03 4465810 /tmp/test64 7ffbb808d000-7ffc180ae000 rw-p 00000000 00:00 0 [heap] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Note: in this example, the "[stack]" is, again, incorrectly displayed as the "[heap]" by show_map_vma() (in fs/proc/task_mmu.c).
This layout is ideal for our stack-clash exploits, but poses an unexpected problem: because the PIE is mapped directly below the stack, the stack cannot grow anymore, and the only free stack space is the initial stack expansion (128KB) minus the argv[] and envp[] pointers (which are stored there, as mentioned in II.3.2.):
-
on the one hand, many argv[] and envp[] pointers, and hence many argument and environment strings, result in a higher probability of mapping the PIE directly below the stack;
-
on the other hand, many argv[] and envp[] pointers consume most of the initial stack expansion and do not leave enough free stack space for ld.so to operate.
In practice, we pass 96KB of argv[] pointers to execve(), thus leaving 32KB of free stack space for ld.so, and since the size of a pointer is 8B, and the maximum size of an argument string is 128KB, we also pass 96KB/8B*128KB=1.5GB of argument strings to execve(). The resulting probability of mapping the PIE directly below the stack is:
SUM(s = 0; s < 1.5GB - 128MB; s++) s / (16GB * 1TB)
~= ((1.5GB - 128MB)^2 / 2) / (16GB * 1TB)
~= 1 / 17331
On a 4GB Virtual Machine, each run takes 1 second, and 17331 runs take roughly 5 hours. But we cannot add more uncertainty to this exploit, and because of the problems discussed in IV.1.4. (null-bytes in DT_NEEDED, but also in DT_AUXILIARY on 64-bit, etc), we were unable to overwrite the .dynamic section with a pattern that does not significantly decrease this exploit's probability of success.
All kernels, ld.so "hwcap" exploit
Despite this failure, we had an intuition: when the PIE is mapped directly below the stack, the stack layout should be deterministic -- rsp should point into the 128KB of initial stack expansion, at a 32KB offset above the start of the stack, and the only entropy should be the 8KB of sub-page randomization within the stack (arch_align_stack() in arch/x86/kernel/process.c). The following output of our small test program confirmed this intuition (the fourth field is the distance between the start of the stack and our main()'s rsp when the PIE is mapped directly below the stack):
$ grep -w sp test64.out | sort -nk4 sp 0x7ffbc271ff38 -> 28472 sp 0x7ffbb95ccff8 -> 28664 sp 0x7ffbaf062678 -> 30328 sp 0x7ffbb08736e8 -> 30440 sp 0x7ffbbc616d18 -> 32024 sp 0x7ffbc1a0fdb8 -> 32184 sp 0x7ffbb9c28ff8 -> 32760 sp 0x7ffbdbf4c178 -> 33144 sp 0x7ffbb39bc1c8 -> 33224 sp 0x7ffbebb86838 -> 34872
Surprisingly, the output of this test program contained additional valuable information:
7ffbb7e51000-7ffbb7e53000 r-xp 00000000 fd:03 4465810 /tmp/test64 7ffbb8034000-7ffbb8037000 rw-p 00000000 00:00 0 7ffbb804d000-7ffbb804e000 rw-p 00000000 00:00 0 7ffbb804e000-7ffbb8050000 r--p 00000000 00:00 0 [vvar] 7ffbb8050000-7ffbb8052000 r-xp 00000000 00:00 0 [vdso] 7ffbb8052000-7ffbb8053000 r--p 00001000 fd:03 4465810 /tmp/test64 7ffbb8053000-7ffbb808c000 rw-p 00002000 fd:03 4465810 /tmp/test64 7ffbb808d000-7ffc180ae000 rw-p 00000000 00:00 0 [heap] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
- the distance between the end of the read-execute segment of our test program and the start of its read-only and read-write segments is approximately 2MB; indeed, for every ELF on amd64:
$ readelf -a /usr/bin/su | grep -wA1 LOAD LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x00000000000061b4 0x00000000000061b4 R E 200000 LOAD 0x0000000000006888 0x0000000000206888 0x0000000000206888 0x0000000000000798 0x00000000000007d0 RW 200000
$ readelf -a /lib64/ld-linux-x86-64.so.2 | grep -wA1 LOAD LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x000000000001fad0 0x000000000001fad0 R E 200000 LOAD 0x000000000001fb60 0x000000000021fb60 0x000000000021fb60 0x000000000000141c 0x00000000000015e8 RW 200000
- several objects are actually mapped inside this ~2MB hole: [vdso], [vvar], and two anonymous mappings (7ffbb804d000-7ffbb804e000 and 7ffbb8034000-7ffbb8037000).
This discovery allowed us to adapt our ld.so "hwcap" exploit to amd64:
-
we choose hardware-capabilities that are small enough to be mapped inside this ~2MB hole, but large enough to defeat the 8KB sub-page randomization of the stack;
-
we jump over the stack guard-page, and over the read-only and read-write segments of the PIE, and exploit ld.so as we did on i386.
This exploit's probability of success is therefore 1 when the PIE is mapped directly below the stack, and its final probability of success is ~1/17331: it takes 1 second per run, and has a good chance of obtaining a root-shell after 5 hours. Moreover, it works on all kernels: if a SUID binary is not a PIE, or if the kernel is not vulnerable to offset2lib, we simply jump over ld.so's read-write segment, instead of the PIE's. For example, on Fedora 25, when the exploit succeeds and loads our own library /var/tmp/a (the 7ffbabbef000-7ffbabca7000 mapping contains the hardware-capabilities that we smash):
55a0c9e8d000-55a0c9e91000 r-xp 00000000 fd:00 112767 /usr/libexec/cockpit-polkit 55a0ca091000-55a0ca093000 rw-p 00004000 fd:00 112767 /usr/libexec/cockpit-polkit 7ffbab603000-7ffbab604000 r-xp 00000000 fd:00 4866583 /var/tmp/a 7ffbab604000-7ffbab803000 ---p 00001000 fd:00 4866583 /var/tmp/a 7ffbab803000-7ffbab804000 r--p 00000000 fd:00 4866583 /var/tmp/a 7ffbab804000-7ffbaba86000 rw-p 00000000 00:00 0 7ffbaba86000-7ffbabaab000 r-xp 00000000 fd:00 4229637 /usr/lib64/ld-2.24.so 7ffbabbef000-7ffbabca7000 rw-p 00000000 00:00 0 7ffbabca7000-7ffbabca9000 r--p 00000000 00:00 0 [vvar] 7ffbabca9000-7ffbabcab000 r-xp 00000000 00:00 0 [vdso] 7ffbabcab000-7ffbabcad000 rw-p 00025000 fd:00 4229637 /usr/lib64/ld-2.24.so 7ffbabcad000-7ffbabcae000 rw-p 00000000 00:00 0 7ffbabcaf000-7ffc0bcf0000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
======================================================================== IV.2. OpenBSD ========================================================================
======================================================================== IV.2.1. Maximum RLIMIT_STACK vulnerability (CVE-2017-1000372) ========================================================================
The OpenBSD kernel limits the maximum size of the user-space stack (RLIMIT_STACK) to MAXSSIZ (32MB); the execve() system-call allocates a MAXSSIZ memory region for the stack and divides it in two:
-
the second part, effectively the user-space stack, is mapped PROT_READ|PROT_WRITE at the end of this stack memory region, and occupies RLIMIT_STACK bytes (by default 8MB for root processes, and 4MB for user processes);
-
the first part, effectively a large stack guard-page, is mapped PROT_NONE at the start of this stack memory region, and occupies MAXSSIZ - RLIMIT_STACK bytes.
Unfortunately, we discovered that if an attacker sets RLIMIT_STACK to MAXSSIZ, he eliminates the PROT_NONE part of the stack region, and hence the stack guard-page itself (CVE-2017-1000372). For example:
sh -c 'ulimit -S -s; procmap -a -P'
8192 Start End Size Offset rwxpc RWX I/W/A Dev Inode - File ... 14cf6000-14cfafff 20k 00000000 r-xp+ (rwx) 1/0/0 00:03 52375 - /usr/sbin/procmap [0xdb29ce10] ... 84a7b000-84a7bfff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ] cd7db000-cefdafff 24576k 00000000 ---p+ (rwx) 1/0/0 00:00 0 - [ stack ] cefdb000-cf7cffff 8148k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ] cf7d0000-cf7dafff 44k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ] total 10348k
sh -c 'ulimit -S -s ulimit -H -s; procmap -a -P'
Start End Size Offset rwxpc RWX I/W/A Dev Inode - File ... 1a47f000-1a483fff 20k 00000000 r-xp+ (rwx) 1/0/0 00:03 52375 - /usr/sbin/procmap [0xdb29ce10] ... 8a3c8000-8a3c9fff 8k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ] cd7c9000-cf7bffff 32732k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ] cf7c0000-cf7c8fff 36k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ] total 33992k
A remote attacker cannot exploit this vulnerability, because he cannot modify RLIMIT_STACK; but a local attacker can set RLIMIT_STACK to MAXSSIZ, and:
-
Step 1: malloc()ate almost 2GB of heap memory, until the heap reaches the start of the stack region;
-
Steps 2 and 3: consume MAXSSIZ (32MB) of stack memory, until the stack-pointer reaches the start of the stack region (Step 2) and moves into the heap (Step 3);
-
Step 4: smash the stack with the heap (Step 4a) or smash the heap with the stack (Step 4b).
======================================================================== IV.2.2. Recursive qsort() vulnerability (CVE-2017-1000373) ========================================================================
To complete Step 2, a recursive function is needed, and the first possibly recursive function that we investigated is qsort(). On the one hand, glibc's _quicksort() function (in stdlib/qsort.c) is non-recursive (iterative): it uses a small, specialized stack of partition structures (two pointers, low and high), and guarantees that no more than 32 partitions (on i386) or 64 partitions (on amd64) are pushed onto this stack, because it always pushes the larger of two sub-partitions and iterates on the smaller partition.
On the other hand, BSD's qsort() function is recursive: it always recurses on the first sub-partition, and iterates on the second sub-partition; but instead, it should always recurse on the smaller sub-partition, and iterate on the larger sub-partition (CVE-2017-1000373 in OpenBSD, CVE-2017-1000378 in NetBSD, and CVE-2017-1082 in FreeBSD).
In theory, because BSD's qsort() is not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N times. In practice, because this qsort() uses the median-of-three medians-of-three selection of a pivot element (the "ninther"), our attack constructs an input array of N elements that causes qsort() to recurse N/4 times.
======================================================================== IV.2.3. /usr/bin/at proof-of-concept ========================================================================
/usr/bin/at is SGID-crontab (which can be escalated to full root privileges) because it must be able to create ("at -t"), list ("at -l"), and remove ("at -r") job-files in the /var/cron/atjobs directory:
-r-xr-sr-x 4 root crontab 31376 Jul 26 2016 /usr/bin/at drwxrwx--T 2 root crontab 512 Jul 26 2016 /var/cron/atjobs
To demonstrate that OpenBSD's RLIMIT_STACK and qsort() vulnerabilities can be transformed into powerful primitives such as heap corruption, we developed a proof-of-concept against "at -l" (the list_jobs() function):
-
Step 1 (Clash): first, list_jobs() malloc()ates an atjob structure for each file in /var/cron/atjobs -- if we create 40M job-files, then the heap reaches the stack, but we do not exhaust the address-space;
-
Steps 2 and 3 (Run and Jump): second, list_jobs() qsort()s the malloc()ated jobs -- if we construct their time-stamps with our qsort() attack, then we can cause qsort() to recurse 40M/4=10M times and consume at least 10M*4B=40MB of stack memory (each recursive call to qsort() consumes at least 4B, the return-address) and move the stack-pointer into the heap;
-
Step 4b (Smash the heap with the stack): last, list_jobs() free()s the malloc()ated jobs, and abort()s with an error message -- OpenBSD's hardened malloc() implementation detects that the heap has been corrupted by the last recursive calls to qsort().
This naive version of our /usr/bin/at proof-of-concept poses two major problems:
- Our pathological input array of N=40M elements cannot be sorted (Step 2 never finishes because it exhibits qsort()'s worst-case behavior, N^2). To solve this problem, we divide the input array in two:
. the first, pathological part contains only n=(33MB/176B)4=768K elements that are needed to complete Steps 2 and 3, and cause qsort() to recurse n/4 times and consume (n/4)176B=33MB of stack memory (MAXSSIZ+1MB) as each recursive call to qsort() consumes 176B of stack memory;
. the second, innocuous part contains the remaining N-n=39M elements that are needed to complete Step 1, but not Steps 2 and 3, and are therefore swapped into the second, iterative partition of the first recursive call to qsort().
- We were unable to create 40M files in /var/cron/atjobs: after one week, OpenBSD's default filesystem (ffs) had created only 4M files, and the rate of file creation had dropped from 25 files/second to 4 files/second. We did not solve this problem, but nevertheless wanted to validate our proof-of-concept:
. we transformed it into an LD_PRELOAD library that intercepts calls to readdir() and fstatat(), and pretends that our 40M files in /var/cron/atjobs exist;
. we made /var/cron/atjobs world-readable and LD_PRELOADed our library into a non-SGID copy of /usr/bin/at;
. after about an hour, "at" reports random heap corruptions:
chmod o+r /var/cron/atjobs
chmod o+r /var/cron/at.deny
$ ulimit -c 0
$ ulimit -S -d ulimit -H -d
$ ulimit -S -s ulimit -H -s
$ ulimit -S -a
...
coredump(blocks) 0
data(kbytes) 3145728
stack(kbytes) 32768
...
$ cp /usr/bin/at .
$ LD_PRELOAD=./OpenBSD_at.so ./at -l -v -q x > /dev/null initializing jobkeys finalizing jobkeys reading jobs 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% sorting jobs at(78717) in free(): error: chunk info corrupted Abort trap
$ LD_PRELOAD=./OpenBSD_at.so ./at -l -v -q x > /dev/null initializing jobkeys finalizing jobkeys reading jobs 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% sorting jobs at(14184) in free(): error: modified chunk-pointer 0xcd6d0120 Abort trap
======================================================================== IV.3. NetBSD ========================================================================
Like OpenBSD, NetBSD is vulnerable to the maximum RLIMIT_STACK vulnerability (CVE-2017-1000374): if a local attacker sets RLIMIT_STACK to MAXSSIZ, he eliminates the PROT_NONE part of the stack region -- the stack guard-page itself. Unlike OpenBSD, however, NetBSD:
-
defines MAXSSIZ to 64MB on i386 (128MB on amd64);
-
maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled (CVE-2017-1000375):
$ sh -c 'ulimit -S -s; pmap -a -P' 2048 Start End Size Offset rwxpc RWX I/W/A Dev Inode - File 08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 21706 - /usr/bin/pmap [0xc5c8f0b8] ... bbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580] bbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ] bbc00000-bf9fffff 63488k 00000000 ---p+ (rwx) 1/0/0 00:00 0 - [ stack ] bfa00000-bfbeffff 1984k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ] bfbf0000-bfbfffff 64k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ] total 9528k
$ sh -c 'ulimit -S -s ulimit -H -s; pmap -a -P'
Start End Size Offset rwxpc RWX I/W/A Dev Inode - File
08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 21706 - /usr/bin/pmap [0xc5c8f0b8]
...
bbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580]
bbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]
bbc00000-bfbeffff 65472k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]
bfbf0000-bfbfffff 64k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]
total 73016k
cp /usr/bin/pmap .
paxctl +A ./pmap
sh -c 'ulimit -S -s ulimit -H -s; ./pmap -a -P'
Start End Size Offset rwxpc RWX I/W/A Dev Inode - File 08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 172149 - /tmp/pmap [0xc5cb3c64] ... bbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580] bbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ] bbc00000-bf1bffff 55040k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ] bf1c0000-bf1cefff 60k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ] total 62580k
Consequently, a local attacker can set RLIMIT_STACK to MAXSSIZ, eliminate the stack guard-page, and:
-
skip Step 1, because ld.so's read-write segment is naturally mapped directly below the stack region;
-
Steps 2 and 3: consume 64MB (MAXSSIZ) of stack memory (for example, through the recursive qsort() vulnerability, CVE-2017-1000378) until the stack-pointer reaches the start of the stack region (Step 2) and moves into ld.so's read-write segment (Step 3);
-
Step 4b: smash ld.so's read-write segment with the stack.
We did not try to exploit this vulnerability, nor did we search for a vulnerable SUID or SGID binary, but we wrote a simple proof-of-concept, and some of the following crashes may be exploitable:
$ sh -c 'ulimit -S -s ulimit -H -s; ./NetBSD_CVE-2017-1000375 0x04000000'
[1] Segmentation fault ./NetBSD_CVE-201...
$ sh -c 'ulimit -S -s ulimit -H -s; ./NetBSD_CVE-2017-1000375 0x03000000'
...
$ sh -c 'ulimit -S -s ulimit -H -s; ./NetBSD_CVE-2017-1000375 0x03ec5000'
$ sh -c 'ulimit -S -s ulimit -H -s; ./NetBSD_CVE-2017-1000375 0x03ec5400'
[1] Segmentation fault ./NetBSD_CVE-201...
$ sh -c 'ulimit -S -s ulimit -H -s; gdb ./NetBSD_CVE-2017-1000375'
GNU gdb (GDB) 7.7.1
...
(gdb) run 0x03ec5400
Program received signal SIGSEGV, Segmentation fault.
0xbbbf448d in _rtld_symlook_default () from /usr/libexec/ld.elf_so
(gdb) x/i $eip
=> 0xbbbf448d <_rtld_symlook_default+185>: mov %edx,(%esi,%edi,4)
(gdb) info registers
esi 0xbabae890 -1162155888
edi 0x0 0
...
(gdb) run 0x03ec5800
Program received signal SIGSEGV, Segmentation fault.
0xbbbf4465 in _rtld_symlook_default () from /usr/libexec/ld.elf_so
(gdb) x/i $eip
=> 0xbbbf4465 <_rtld_symlook_default+145>: mov 0x4(%ecx),%edx
(gdb) info registers
ecx 0x41414141 1094795585
...
(gdb) run 0x03ec5c00
Program received signal SIGSEGV, Segmentation fault.
0xbbbf4408 in _rtld_symlook_default () from /usr/libexec/ld.elf_so
(gdb) x/i $eip
=> 0xbbbf4408 <_rtld_symlook_default+52>: mov (%eax),%esi
(gdb) info registers
eax 0x41414141 1094795585
...
======================================================================== IV.4. FreeBSD ========================================================================
======================================================================== IV.4.1. setrlimit() RLIMIT_STACK vulnerability (CVE-2017-1085) ========================================================================
FreeBSD's kern_proc_setrlimit() function contains the following comment and code:
/*
* Stack is allocated to the max at exec time with only
* "rlim_cur" bytes accessible. If stack limit is going
* up make more accessible, if going down make inaccessible.
*/
if (limp->rlim_cur != oldssiz.rlim_cur) {
...
if (limp->rlim_cur > oldssiz.rlim_cur) {
prot = p->p_sysent->sv_stackprot;
size = limp->rlim_cur - oldssiz.rlim_cur;
addr = p->p_sysent->sv_usrstack -
limp->rlim_cur;
} else {
prot = VM_PROT_NONE;
size = oldssiz.rlim_cur - limp->rlim_cur;
addr = p->p_sysent->sv_usrstack -
oldssiz.rlim_cur;
}
...
(void)vm_map_protect(&p->p_vmspace->vm_map,
addr, addr + size, prot, FALSE);
}
OpenBSD's and NetBSD's dosetrlimit() function contains the same comment, which accurately describes the layout of their user-space stack region. Unfortunately, FreeBSD's kern_proc_setrlimit() comment and code are incorrect, as hinted at in exec_new_vmspace():
/ * Destroy old address space, and allocate a new stack * The new stack is only SGROWSIZ large because it is grown * automatically in trap.c. /
and vm_map_stack_locked():
/*
* We initially map a stack of only init_ssize. We will grow as
* needed later.
where init_ssize is SGROWSIZ (128KB), not MAXSSIZ (64MB on i386), because "init_ssize = (max_ssize < growsize) ? max_ssize : growsize;" (and max_ssize is MAXSSIZ, and growsize is SGROWSIZ).
As a result, if a program calls setrlimit() to increase RLIMIT_STACK, vm_map_protect() may turn a read-only memory region below the stack into a read-write region (CVE-2017-1085), as demonstrated by the following proof-of-concept:
% ./FreeBSD_CVE-2017-1085 Segmentation fault
% ./FreeBSD_CVE-2017-1085 setrlimit to the max char at 0xbd155000: 41
======================================================================== IV.4.2. Stack guard-page disabled by default (CVE-2017-1083) ========================================================================
The FreeBSD kernel implements a 4KB stack guard-page, and recent versions of the FreeBSD Installer offer it as a system hardening option. Unfortunately, it is disabled by default (CVE-2017-1083):
% sysctl security.bsd.stack_guard_page security.bsd.stack_guard_page: 0
======================================================================== IV.4.3. Stack guard-page vulnerabilities (CVE-2017-1084) ========================================================================
- If FreeBSD's stack guard-page is enabled, its entire logic is implemented in vm_map_growstack(): this function guarantees a minimum distance of 4KB (the stack guard-page) between the start of the stack and the end of the memory region that is mapped below (but the stack guard-page is not physically mapped into the address-space).
Unfortunately, this guarantee is given only when the stack grows down and clashes with the memory region mapped below, but not if the memory region mapped below grows up and clashes with the stack: this vulnerability effectively eliminates the stack guard-page (CVE-2017-1084). In our proof-of-concept:
. we allocate anonymous mmap()s of 4KB, until the end of an anonymous mmap() reaches the start of the stack [Step 1];
. we call a recursive function until the stack-pointer reaches the start of the stack and moves into the anonymous mmap() directly below [Step 2];
. but we do not jump over the stack guard-page, because each call to the recursive function allocates (and fully writes to) a 1KB stack-based buffer [Step 3];
. and we do not crash into the stack guard-page, because CVE-2017-1084 has effectively eliminated the stack guard-page in Step 1.
sysctl security.bsd.stack_guard_page=1
security.bsd.stack_guard_page: 0 -> 1
% ./FreeBSD_CVE-2017-FGPU char at 0xbfbde000: 41
- vm_map_growstack() implements most of the stack guard-page logic in
the following code:
/* * Growing downward. */ /* Get the preliminary new entry start value */ addr = stack_entry->start - grow_amount; /* * If this puts us into the previous entry, cut back our * growth to the available space. Also, see the note above. */ if (addr < end) { stack_entry->avail_ssize = max_grow; addr = end; if (stack_guard_page) addr += PAGE_SIZE; }
where:
. addr is the new start of the stack;
. stack_entry->start is the old start of the stack;
. grow_amount is the size of the stack expansion;
. end is the end of the memory region below the stack.
Unfortunately, the "addr < end" test should be "addr <= end": if addr, the new start of the stack, is equal to end, the end of the memory region mapped below, then the stack guard-page is eliminated (CVE-2017-1084). In our proof-of-concept:
. we allocate anonymous mmap()s of 4KB, until the end of an anonymous mmap() reaches a randomly chosen distance below the start of the stack [Step 1];
. we call a recursive function until the stack-pointer reaches the start of the stack, and the stack expansion reaches the end of the anonymous mmap() below [Step 2];
. we do not jump over the stack guard-page, because each call to the recursive function allocates (and fully writes to) a 1KB stack-based buffer [Step 3];
. and we crash into the stack guard-page most of the time;
. but we survive with a probability of 4KB/128KB=1/32 (grow_amount is always a multiple of SGROWSIZ, 128KB) because CVE-2017-1084 has effectively eliminated the stack guard-page in Step 2.
% sysctl security.bsd.stack_guard_page security.bsd.stack_guard_page: 1
% sh -c 'while true; do ./FreeBSD_CVE-2017-FGPE; done' Segmentation fault char at 0xbe45e000: 41; final dist 6097 (24778705) Segmentation fault Segmentation fault Segmentation fault ... Segmentation fault Segmentation fault Segmentation fault char at 0xbd25e000: 41; final dist 7036 (43654012) Segmentation fault Segmentation fault Segmentation fault ... Segmentation fault Segmentation fault Segmentation fault char at 0xbd29e000: 41; final dist 5331 (43390163) Segmentation fault Segmentation fault Segmentation fault ...
In contrast, if FreeBSD's stack guard-page is disabled, our proof-of-concept always survives:
sysctl security.bsd.stack_guard_page=0
security.bsd.stack_guard_page: 1 -> 0
% sh -c 'while true; do ./FreeBSD_CVE-2017-FGPE; done' char at 0xbe969000: 41; final dist 89894 (19488550) char at 0xbfa6d000: 41; final dist 74525 (1647389) char at 0xbf4df000: 41; final dist 78 (7471182) char at 0xbe9e4000: 41; final dist 112397 (18986765) char at 0xbf693000: 41; final dist 49811 (5685907) char at 0xbf533000: 41; final dist 51037 (7128925) char at 0xbd799000: 41; final dist 26043 (38167995) char at 0xbd54b000: 11; final dist 83754 (40585002) char at 0xbe176000: 41; final dist 36992 (27824256) char at 0xbfa91000: 41; final dist 57449 (1499241) char at 0xbd1b9000: 41; final dist 26115 (44328451) char at 0xbd1c8000: 41; final dist 94852 (44266116) char at 0xbf73a000: 41; final dist 22276 (5003012) char at 0xbe6b1000: 41; final dist 58854 (22341094) char at 0xbeb81000: 41; final dist 124727 (17295159) char at 0xbfb35000: 41; final dist 43174 (829606) ...
- FreeBSD's thread library (libthr) mmap()s a secondary PROT_NONE stack guard-page at a distance RLIMIT_STACK below the end of the stack:
sysctl security.bsd.stack_guard_page=1
security.bsd.stack_guard_page: 0 -> 1
% sh -c 'exec procstat -v $$' PID START END PRT RES PRES REF SHD FLAG TP PATH 2779 0x8048000 0x8050000 r-x 8 8 1 0 CN-- vn /usr/bin/procstat ... 2779 0x28400000 0x28800000 rw- 22 35 2 0 ---- df 2779 0xbfbdf000 0xbfbff000 rwx 3 3 1 0 ---D df 2779 0xbfbff000 0xbfc00000 r-x 1 1 23 0 ---- ph
% sh -c 'LD_PRELOAD=libthr.so exec procstat -v $$' PID START END PRT RES PRES REF SHD FLAG TP PATH 2798 0x8048000 0x8050000 r-x 8 8 1 0 CN-- vn /usr/bin/procstat ... 2798 0x28400000 0x28800000 rw- 23 35 2 0 ---- df 2798 0xbbbfe000 0xbbbff000 --- 0 0 0 0 ---- -- 2798 0xbfbdf000 0xbfbff000 rwx 3 3 1 0 ---D df 2798 0xbfbff000 0xbfc00000 r-x 1 1 23 0 ---- ph
Unfortunately, this secondary stack guard-page does not mitigate the vulnerabilities that we discovered in FreeBSD's stack guard-page implementation:
% sysctl security.bsd.stack_guard_page security.bsd.stack_guard_page: 1
% sh -c 'LD_PRELOAD=libthr.so ./FreeBSD_CVE-2017-FGPU' char at 0xbfbde000: 41
% sh -c 'while true; do LD_PRELOAD=libthr.so ./FreeBSD_CVE-2017-FGPE; done' Segmentation fault Segmentation fault Segmentation fault ... Segmentation fault Segmentation fault Segmentation fault char at 0xbda5e000: 41; final dist 3839 (35262207) Segmentation fault Segmentation fault Segmentation fault ... Segmentation fault Segmentation fault Segmentation fault char at 0xbdb1e000: 41; final dist 3549 (34475485) Segmentation fault Segmentation fault Segmentation fault ...
======================================================================== IV.4.4. Remote exploitation ========================================================================
Because FreeBSD's stack guard-page is disabled by default, we tried (and failed) to remotely exploit a test service vulnerable to:
-
an unlimited memory leak that allows us to malloc()ate gigabytes of memory;
-
a limited recursion that allows us to allocate up to 1MB of stack memory.
FreeBSD's malloc() implementation (jemalloc) mmap()s 4MB chunks of anonymous memory that are aligned on multiples of 4MB. The first 4MB mmap() chunk starts at 0x28400000, and the last 4MB mmap() chunk ends at 0xbf800000, because the stack itself already ends at 0xbfc00000; but it is impossible to cover this final mmap-stack distance (almost 4MB) with the limited recursion (1MB) of our test service. break(0x80499b0) = 0 (0x0) break(0x8400000) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 672845824 (0x281ad000) mmap(0x285ad000,2437120,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 677040128 (0x285ad000) munmap(0x281ad000,2437120) = 0 (0x0) mmap(0x0,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 679477248 (0x28800000) munmap(0x28c00000,4194304) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 683671552 (0x28c00000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 687865856 (0x29000000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 692060160 (0x29400000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 696254464 (0x29800000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 700448768 (0x29c00000) ... mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1103101952 (0xbe400000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1098907648 (0xbe800000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1094713344 (0xbec00000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1090519040 (0xbf000000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1086324736 (0xbf400000) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x8800000) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x8c00000) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x9000000) = 0 (0x0) ... mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x27c00000) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x28000000) = 0 (0x0) mmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 'Cannot allocate memory' break(0x28400000) ERR#12 'Cannot allocate memory'
======================================================================== IV.5. Solaris >= 11.1 ========================================================================
======================================================================== IV.5.1. Minimal RLIMIT_STACK vulnerability (CVE-2017-3630) ========================================================================
On Solaris, ASLR can be enabled or disabled for each ELF binary with the SUNW_ASLR dynamic section entry (man elfedit):
$ elfdump /usr/bin/rsh | egrep 'ASLR|NX' [39] SUNW_ASLR 0x2 ENABLE [40] SUNW_NXHEAP 0x2 ENABLE [41] SUNW_NXSTACK 0x2 ENABLE
Without ASLR
If ASLR is disabled:
-
a stack region of size RLIMIT_STACK is reserved in the address-space;
-
a 4KB stack guard-page is mapped directly below this stack region;
-
the runtime linker ld.so is mapped directly below this stack guard-page.
$ cp /usr/bin/sleep . $ chmod u+w ./sleep $ elfedit -e 'dyn:sunw_aslr disable' ./sleep
$ sh -c 'ulimit -S -s; ./sleep 3 & pmap -r ${!}' 8192 7176: ./sleep 3 ... FE7B1000 228K r-x---- /lib/ld.so.1 FE7FA000 8K rwx---- /lib/ld.so.1 FE7FC000 8K rwx---- /lib/ld.so.1 FE7FF000 8192K rw----- [ stack ] total 17148K
$ sh -c 'ulimit -S -s 64; ./sleep 3 & pmap -r ${!}' 7244: ./sleep 3 ... FEFA1000 228K r-x---- /lib/ld.so.1 FEFEA000 8K rwx---- /lib/ld.so.1 FEFEC000 8K rwx---- /lib/ld.so.1 FEFEF000 64K rw----- [ stack ] total 9020K
On the one hand, a local attacker can exploit this simplified stack-clash:
-
Step 1 (Clash) is not needed, because ld.so is naturally mapped directly below the stack (the distance between the end of ld.so's read-write segment and the start of the stack is 4KB, the stack guard-page);
-
Step 2 (Run) is not needed, because a local attacker can set RLIMIT_STACK to just a few kilobytes, reserve a very small stack region, and hence shorten the distance between the stack-pointer and the start of the stack (and the end of ld.so's read-write segment);
-
Step 3 (Jump) can be completed with a large stack-based buffer that is not fully written to;
-
Step 4b (Smash) can be completed by overwriting the function pointers in ld.so's read-write segment with the contents of a stack-based buffer.
Such a simplified stack-clash exploit was first mentioned in Gael Delalleau's 2005 presentation (slide 30).
On the other hand, a remote attacker cannot modify RLIMIT_STACK and must complete Step 2 (Run) with a recursive function that consumes the 8MB (the default RLIMIT_STACK) between the stack-pointer and the start of the stack.
With ASLR
If ASLR is enabled:
-
a stack region of size RLIMIT_STACK is reserved in the address-space;
-
a 4KB stack guard-page is mapped directly below this stack region;
-
the runtime linker ld.so is mapped below this stack guard-page, but at a random distance (within a [4KB,128MB] range) -- effectively a large, secondary stack guard-page.
On the one hand, a local attacker can run the simplified "Without ASLR" stack-clash exploit until the ld.so-stack distance is minimal -- with a probability of 4KB/128MB=1/32K, the distance between the end of ld.so's read-write segment and the start of the stack is exactly 8KB: the stack guard-page plus the minimum distance between the stack guard-page and ld.so (CVE-2017-3629).
On the other hand, a remote attacker must complete Step 2 (Run) with a recursive function, and:
-
has a good chance of exploiting this stack-clash after 32K connections (when the ld.so-stack distance is minimal) if the remote service re-execve()s (re-randomizes the ld.so-stack distance for each new connection);
-
cannot exploit this stack-clash if the remote service does not re-execve() (does not re-randomize the ld.so-stack distance for each new connection) unless the attacker is able to restart the service, reboot the server, or target a 32K-server farm.
======================================================================== IV.5.2. /usr/bin/rsh exploit ========================================================================
/usr/bin/rsh is SUID-root and its main() function allocates a 50KB stack-based buffer that is not written to and can be used to jump over the stack guard-page, into ld.so's read-write segment, in Step 3 of our simplified stack-clash exploit.
Next, we discovered a general method for gaining eip control in Step 4b: setlocale(LC_ALL, ""), called by the main() function of /usr/bin/rsh and other SUID binaries, copies the LC_ALL environment variable to several stack-based buffers and thus smashes ld.so's read-write segment and overwrites some of ld.so's function pointers.
Last, we execute our own shell-code: we return-into-binary (/usr/bin/rsh is not a PIE), to an instruction that reliably jumps into a copy of our LC_ALL environment variable in ld.so's read-write segment, which is in fact read-write-executable. For example, after we gain control of eip:
-
on Solaris 11.1, we return to a "pop; pop; ret" instruction, because a pointer to our shell-code is stored at an 8-byte offset from esp;
-
on Solaris 11.3, we return to a "call *0xc(%ebp)" instruction, because a pointer to our shell-code is stored at a 12-byte offset from ebp.
Our Solaris exploit brute-forces the random ld.so-stack distance and two parameters:
-
the RLIMIT_STACK;
-
the length of the LC_ALL environment variable.
======================================================================== IV.5.3. Forced-Privilege vulnerability (CVE-2017-3631) ========================================================================
/usr/bin/rsh is SUID-root, but the shell that we obtained in Step 4b of our stack-clash exploit did not grant us full root privileges, only net_privaddr, the privilege to bind to a privileged port number. Disappointed by this result, we investigated and found:
$ ggrep -r /usr/bin/rsh /etc 2>/dev/null /etc/security/exec_attr.d/core-os:Forced Privilege:solaris:cmd:RO::/usr/bin/rsh:privs=net_privaddr
$ /usr/bin/rsh -h /usr/bin/rsh: illegal option -- h usage: rsh [ -PN / -PO ] [ -l login ] [ -n ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host command rsh [ -PN / -PO ] [ -l login ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host
cat truss.out
... 7319: execve("/usr/bin/rsh", 0xA9479C548, 0xA94792808) argc = 2 7319: *** FPRIV: P/E: net_privaddr *** ...
Unfortunately, this Forced-Privilege protection is based on the pathname of SUID-root binaries, which can be execve()d through hard-links, under different pathnames (CVE-2017-3631). For example, we discovered that readable SUID-root binaries can be execve()d through hard-links in /proc:
$ sleep 3 < /usr/bin/rsh & /proc/${!}/fd/0 -h [1] 7333 /proc/7333/fd/0: illegal option -- h usage: rsh [ -PN / -PO ] [ -l login ] [ -n ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host command rsh [ -PN / -PO ] [ -l login ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host
cat truss.out
... 7335: execve("/proc/7333/fd/0", 0xA947CA508, 0xA94792808) argc = 2 7335: *** SUID: ruid/euid/suid = 100 / 0 / 0 *** ...
This vulnerability allows us to bypass the Forced-Privilege protection and obtain full root privileges with our /usr/bin/rsh exploit.
======================================================================== V. Acknowledgments ========================================================================
We thank the members of the distros list, Oracle/Solaris, Exim, Sudo, security@kernel.org, grsecurity/PaX, and OpenBSD. ========================================================================== Ubuntu Security Notice USN-3323-2 June 29, 2017
eglibc vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Gnu C library could be made to run programs as an administrator. This update provides the corresponding update for Ubuntu 12.04 ESM.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: libc6 2.15-0ubuntu10.20
After a standard system update you need to reboot your computer to make all the necessary changes. Description:
Red Hat 3scale API Management Platform 2.0 is a platform for the management of access and traffic for web-based APIs across a variety of deployment options.
Security Fix(es):
- It was found that RH-3scale AMP would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. (CVE-2017-7512)
The underlying container image was also rebuilt to resolve other security issues. Solution:
To apply this security fix, use the updated docker images. Bugs fixed (https://bugzilla.redhat.com/):
1457997 - CVE-2017-7512 3scale AMP: validation bypass in oauth
5
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "linux enterprise software development kit",
"scope": "eq",
"trust": 1.6,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 1.3,
"vendor": "redhat",
"version": "5"
},
{
"_id": null,
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.6"
},
{
"_id": null,
"model": "linux enterprise for sap",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"_id": null,
"model": "web gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "7.7.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "lte",
"trust": 1.0,
"vendor": "gnu",
"version": "2.25"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.5"
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "suse linux enterprise point of sale",
"scope": "eq",
"trust": 1.0,
"vendor": "novell",
"version": "11.0"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.5"
},
{
"_id": null,
"model": "suse linux enterprise desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "novell",
"version": "12.0"
},
{
"_id": null,
"model": "linux enterprise server for raspberry pi",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "linux enterprise software development kit",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12.0"
},
{
"_id": null,
"model": "suse linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "novell",
"version": "11.0"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.6"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.7"
},
{
"_id": null,
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"_id": null,
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "42.2"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.6"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"_id": null,
"model": "enterprise linux server long life",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "5.9"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.5"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"_id": null,
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.2"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.5"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "5.9"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.4"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.2"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"_id": null,
"model": "web gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "mcafee",
"version": "7.6.2.14"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "10"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"_id": null,
"model": "cloud magnum orchestration",
"scope": "eq",
"trust": 1.0,
"vendor": "openstack",
"version": "7"
},
{
"_id": null,
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"_id": null,
"model": "web gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "mcafee",
"version": "7.7.2.2"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "c library",
"scope": "lte",
"trust": 0.8,
"vendor": "gnu",
"version": "2.25"
},
{
"_id": null,
"model": "cloud magnum orchestration",
"scope": null,
"trust": 0.8,
"vendor": "openstack",
"version": null
},
{
"_id": null,
"model": "leap",
"scope": null,
"trust": 0.8,
"vendor": "opensuse",
"version": null
},
{
"_id": null,
"model": "linux enterprise desktop",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "linux enterprise for sap",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "linux enterprise point of sale",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "linux enterprise server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "linux enterprise server for raspberry pi",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "linux enterprise software development kit",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "openstack cloud",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "enterprise linux",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux aus",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux eus",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux long life",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux server",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux server tus",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"_id": null,
"model": "vm server for",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "x863.4"
},
{
"_id": null,
"model": "vm server for",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "x863.3"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.7"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.7.2.2"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.4"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.3"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.2"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.14"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.1"
},
{
"_id": null,
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.22.90"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.12.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.12.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.10.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.5"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.4"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.3"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.9"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.3-10"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.3"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.6"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.5"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.4"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.3"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.25"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.24"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.23"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.22"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.21"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.20"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.19"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.18"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.17"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.16"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.15"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.14.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.14"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.13"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.12"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11.3"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.10"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.1.3.10"
},
{
"_id": null,
"model": "cfengine",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "1.2.3"
},
{
"_id": null,
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux ia-30",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "web gateway",
"scope": "ne",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.7.2.3"
},
{
"_id": null,
"model": "web gateway",
"scope": "ne",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.6.2.15"
}
],
"sources": [
{
"db": "BID",
"id": "99127"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "NVD",
"id": "CVE-2017-1000366"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:gnu:glibc",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:openstack:cloud_magnum_orchestration",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:opensuse_project:leap",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_desktop",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_for_sap",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:suse_linux_enterprise_point_of_sale",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_server_for_raspberry_pi",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_software_development_kit",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:suse:openstack_cloud",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_aus",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_eus",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_long_life",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_server_eus",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:redhat:enterprise_linux_server_tus",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
}
]
},
"credits": {
"_id": null,
"data": "T. Weber",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
}
],
"trust": 0.6
},
"cve": "CVE-2017-1000366",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2017-1000366",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-100094",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2017-1000366",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-1000366",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-1000366",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201706-808",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-100094",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-1000366",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "VULMON",
"id": "CVE-2017-1000366"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "NVD",
"id": "CVE-2017-1000366"
}
]
},
"description": {
"_id": null,
"data": "glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. glibc Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. GNU glibc is prone to local memory-corruption vulnerability. \nAn attacker could exploit this issue to execute arbitrary code in the context of the application. \nGNU glibc 2.25 and prior versions are vulnerable. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: glibc security update\nAdvisory ID: RHSA-2017:1479-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2017:1479\nIssue date: 2017-06-19\nCVE Names: CVE-2017-1000366 \n=====================================================================\n\n1. Summary:\n\nAn update for glibc is now available for Red Hat Enterprise Linux 5\nExtended Lifecycle Support, Red Hat Enterprise Linux 5.9 Long Life, Red Hat\nEnterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4\nAdvanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update\nSupport, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red\nHat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux\n6.6 Telco Extended Update Support, Red Hat Enterprise Linux 6.7 Extended\nUpdate Support, and Red Hat Enterprise Linux 7.2 Extended Update Support. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux ComputeNode EUS (v. 7.2) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional EUS (v. 7.2) - x86_64\nRed Hat Enterprise Linux HPC Node EUS (v. 6.7) - x86_64\nRed Hat Enterprise Linux HPC Node Optional EUS (v. 6.7) - x86_64\nRed Hat Enterprise Linux Long Life (v. 5.9 server) - i386, ia64, x86_64\nRed Hat Enterprise Linux Server (v. 5 ELS) - i386, s390x, x86_64\nRed Hat Enterprise Linux Server AUS (v. 6.2) - x86_64\nRed Hat Enterprise Linux Server AUS (v. 6.4) - x86_64\nRed Hat Enterprise Linux Server AUS (v. 6.5) - x86_64\nRed Hat Enterprise Linux Server AUS (v. 6.6) - x86_64\nRed Hat Enterprise Linux Server EUS (v. 6.7) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server EUS (v. 7.2) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 6.2) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 6.4) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 6.5) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 6.6) - x86_64\nRed Hat Enterprise Linux Server Optional EUS (v. 6.7) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional EUS (v. 7.2) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional TUS (v. 6.5) - x86_64\nRed Hat Enterprise Linux Server Optional TUS (v. 6.6) - x86_64\nRed Hat Enterprise Linux Server TUS (v. 6.5) - x86_64\nRed Hat Enterprise Linux Server TUS (v. 6.6) - x86_64\n\n3. Description:\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the name\nservice cache daemon (nscd) used by multiple programs on the system. \nWithout these libraries, the Linux system cannot function correctly. This is glibc-side mitigation which blocks\nprocessing of LD_LIBRARY_PATH for programs running in secure-execution mode\nand reduces the number of allocations performed by the processing of\nLD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of\nthis issue more difficult. (CVE-2017-1000366)\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the glibc library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1452543 - CVE-2017-1000366 glibc: heap/stack gap jumping via unbounded stack allocations\n\n6. Package List:\n\nRed Hat Enterprise Linux Long Life (v. 5.9 server):\n\nSource:\nglibc-2.5-107.el5_9.9.src.rpm\n\ni386:\nglibc-2.5-107.el5_9.9.i386.rpm\nglibc-2.5-107.el5_9.9.i686.rpm\nglibc-common-2.5-107.el5_9.9.i386.rpm\nglibc-debuginfo-2.5-107.el5_9.9.i386.rpm\nglibc-debuginfo-2.5-107.el5_9.9.i686.rpm\nglibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm\nglibc-devel-2.5-107.el5_9.9.i386.rpm\nglibc-headers-2.5-107.el5_9.9.i386.rpm\nglibc-utils-2.5-107.el5_9.9.i386.rpm\nnscd-2.5-107.el5_9.9.i386.rpm\n\nia64:\nglibc-2.5-107.el5_9.9.i686.rpm\nglibc-2.5-107.el5_9.9.ia64.rpm\nglibc-common-2.5-107.el5_9.9.ia64.rpm\nglibc-debuginfo-2.5-107.el5_9.9.i686.rpm\nglibc-debuginfo-2.5-107.el5_9.9.ia64.rpm\nglibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm\nglibc-devel-2.5-107.el5_9.9.ia64.rpm\nglibc-headers-2.5-107.el5_9.9.ia64.rpm\nglibc-utils-2.5-107.el5_9.9.ia64.rpm\nnscd-2.5-107.el5_9.9.ia64.rpm\n\nx86_64:\nglibc-2.5-107.el5_9.9.i686.rpm\nglibc-2.5-107.el5_9.9.x86_64.rpm\nglibc-common-2.5-107.el5_9.9.x86_64.rpm\nglibc-debuginfo-2.5-107.el5_9.9.i386.rpm\nglibc-debuginfo-2.5-107.el5_9.9.i686.rpm\nglibc-debuginfo-2.5-107.el5_9.9.x86_64.rpm\nglibc-debuginfo-common-2.5-107.el5_9.9.i386.rpm\nglibc-devel-2.5-107.el5_9.9.i386.rpm\nglibc-devel-2.5-107.el5_9.9.x86_64.rpm\nglibc-headers-2.5-107.el5_9.9.x86_64.rpm\nglibc-utils-2.5-107.el5_9.9.x86_64.rpm\nnscd-2.5-107.el5_9.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 5 ELS):\n\nSource:\nglibc-2.5-123.el5_11.4.src.rpm\n\ni386:\nglibc-2.5-123.el5_11.4.i386.rpm\nglibc-2.5-123.el5_11.4.i686.rpm\nglibc-common-2.5-123.el5_11.4.i386.rpm\nglibc-debuginfo-2.5-123.el5_11.4.i386.rpm\nglibc-debuginfo-2.5-123.el5_11.4.i686.rpm\nglibc-debuginfo-common-2.5-123.el5_11.4.i386.rpm\nglibc-devel-2.5-123.el5_11.4.i386.rpm\nglibc-headers-2.5-123.el5_11.4.i386.rpm\nglibc-utils-2.5-123.el5_11.4.i386.rpm\nnscd-2.5-123.el5_11.4.i386.rpm\n\ns390x:\nglibc-2.5-123.el5_11.4.s390.rpm\nglibc-2.5-123.el5_11.4.s390x.rpm\nglibc-common-2.5-123.el5_11.4.s390x.rpm\nglibc-debuginfo-2.5-123.el5_11.4.s390.rpm\nglibc-debuginfo-2.5-123.el5_11.4.s390x.rpm\nglibc-devel-2.5-123.el5_11.4.s390.rpm\nglibc-devel-2.5-123.el5_11.4.s390x.rpm\nglibc-headers-2.5-123.el5_11.4.s390x.rpm\nglibc-utils-2.5-123.el5_11.4.s390x.rpm\nnscd-2.5-123.el5_11.4.s390x.rpm\n\nx86_64:\nglibc-2.5-123.el5_11.4.i686.rpm\nglibc-2.5-123.el5_11.4.x86_64.rpm\nglibc-common-2.5-123.el5_11.4.x86_64.rpm\nglibc-debuginfo-2.5-123.el5_11.4.i386.rpm\nglibc-debuginfo-2.5-123.el5_11.4.i686.rpm\nglibc-debuginfo-2.5-123.el5_11.4.x86_64.rpm\nglibc-debuginfo-common-2.5-123.el5_11.4.i386.rpm\nglibc-devel-2.5-123.el5_11.4.i386.rpm\nglibc-devel-2.5-123.el5_11.4.x86_64.rpm\nglibc-headers-2.5-123.el5_11.4.x86_64.rpm\nglibc-utils-2.5-123.el5_11.4.x86_64.rpm\nnscd-2.5-123.el5_11.4.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node EUS (v. 6.7):\n\nSource:\nglibc-2.12-1.166.el6_7.8.src.rpm\n\nx86_64:\nglibc-2.12-1.166.el6_7.8.i686.rpm\nglibc-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-devel-2.12-1.166.el6_7.8.i686.rpm\nglibc-devel-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-headers-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-utils-2.12-1.166.el6_7.8.x86_64.rpm\nnscd-2.12-1.166.el6_7.8.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional EUS (v. 6.7):\n\nx86_64:\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-static-2.12-1.166.el6_7.8.i686.rpm\nglibc-static-2.12-1.166.el6_7.8.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 6.2):\n\nSource:\nglibc-2.12-1.47.el6_2.18.src.rpm\n\nx86_64:\nglibc-2.12-1.47.el6_2.18.i686.rpm\nglibc-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-common-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-debuginfo-2.12-1.47.el6_2.18.i686.rpm\nglibc-debuginfo-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-debuginfo-common-2.12-1.47.el6_2.18.i686.rpm\nglibc-debuginfo-common-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-devel-2.12-1.47.el6_2.18.i686.rpm\nglibc-devel-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-headers-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-utils-2.12-1.47.el6_2.18.x86_64.rpm\nnscd-2.12-1.47.el6_2.18.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 6.4):\n\nSource:\nglibc-2.12-1.107.el6_4.10.src.rpm\n\nx86_64:\nglibc-2.12-1.107.el6_4.10.i686.rpm\nglibc-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-common-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-debuginfo-2.12-1.107.el6_4.10.i686.rpm\nglibc-debuginfo-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-debuginfo-common-2.12-1.107.el6_4.10.i686.rpm\nglibc-debuginfo-common-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-devel-2.12-1.107.el6_4.10.i686.rpm\nglibc-devel-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-headers-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-utils-2.12-1.107.el6_4.10.x86_64.rpm\nnscd-2.12-1.107.el6_4.10.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 6.5):\n\nSource:\nglibc-2.12-1.132.el6_5.9.src.rpm\n\nx86_64:\nglibc-2.12-1.132.el6_5.9.i686.rpm\nglibc-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-devel-2.12-1.132.el6_5.9.i686.rpm\nglibc-devel-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-headers-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-utils-2.12-1.132.el6_5.9.x86_64.rpm\nnscd-2.12-1.132.el6_5.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server TUS (v. 6.5):\n\nSource:\nglibc-2.12-1.132.el6_5.9.src.rpm\n\nx86_64:\nglibc-2.12-1.132.el6_5.9.i686.rpm\nglibc-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-devel-2.12-1.132.el6_5.9.i686.rpm\nglibc-devel-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-headers-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-utils-2.12-1.132.el6_5.9.x86_64.rpm\nnscd-2.12-1.132.el6_5.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 6.6):\n\nSource:\nglibc-2.12-1.149.el6_6.12.src.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.12.i686.rpm\nglibc-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.12.i686.rpm\nglibc-devel-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.12.x86_64.rpm\nnscd-2.12-1.149.el6_6.12.x86_64.rpm\n\nRed Hat Enterprise Linux Server TUS (v. 6.6):\n\nSource:\nglibc-2.12-1.149.el6_6.12.src.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.12.i686.rpm\nglibc-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.12.i686.rpm\nglibc-devel-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.12.x86_64.rpm\nnscd-2.12-1.149.el6_6.12.x86_64.rpm\n\nRed Hat Enterprise Linux Server EUS (v. 6.7):\n\nSource:\nglibc-2.12-1.166.el6_7.8.src.rpm\n\ni386:\nglibc-2.12-1.166.el6_7.8.i686.rpm\nglibc-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-devel-2.12-1.166.el6_7.8.i686.rpm\nglibc-headers-2.12-1.166.el6_7.8.i686.rpm\nglibc-utils-2.12-1.166.el6_7.8.i686.rpm\nnscd-2.12-1.166.el6_7.8.i686.rpm\n\nppc64:\nglibc-2.12-1.166.el6_7.8.ppc.rpm\nglibc-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-common-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.ppc.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.ppc.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-devel-2.12-1.166.el6_7.8.ppc.rpm\nglibc-devel-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-headers-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-utils-2.12-1.166.el6_7.8.ppc64.rpm\nnscd-2.12-1.166.el6_7.8.ppc64.rpm\n\ns390x:\nglibc-2.12-1.166.el6_7.8.s390.rpm\nglibc-2.12-1.166.el6_7.8.s390x.rpm\nglibc-common-2.12-1.166.el6_7.8.s390x.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.s390.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.s390x.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.s390.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.s390x.rpm\nglibc-devel-2.12-1.166.el6_7.8.s390.rpm\nglibc-devel-2.12-1.166.el6_7.8.s390x.rpm\nglibc-headers-2.12-1.166.el6_7.8.s390x.rpm\nglibc-utils-2.12-1.166.el6_7.8.s390x.rpm\nnscd-2.12-1.166.el6_7.8.s390x.rpm\n\nx86_64:\nglibc-2.12-1.166.el6_7.8.i686.rpm\nglibc-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-devel-2.12-1.166.el6_7.8.i686.rpm\nglibc-devel-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-headers-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-utils-2.12-1.166.el6_7.8.x86_64.rpm\nnscd-2.12-1.166.el6_7.8.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 6.2):\n\nSource:\nglibc-2.12-1.47.el6_2.18.src.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.47.el6_2.18.i686.rpm\nglibc-debuginfo-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-debuginfo-common-2.12-1.47.el6_2.18.i686.rpm\nglibc-debuginfo-common-2.12-1.47.el6_2.18.x86_64.rpm\nglibc-static-2.12-1.47.el6_2.18.i686.rpm\nglibc-static-2.12-1.47.el6_2.18.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 6.4):\n\nSource:\nglibc-2.12-1.107.el6_4.10.src.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.107.el6_4.10.i686.rpm\nglibc-debuginfo-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-debuginfo-common-2.12-1.107.el6_4.10.i686.rpm\nglibc-debuginfo-common-2.12-1.107.el6_4.10.x86_64.rpm\nglibc-static-2.12-1.107.el6_4.10.i686.rpm\nglibc-static-2.12-1.107.el6_4.10.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 6.5):\n\nSource:\nglibc-2.12-1.132.el6_5.9.src.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-static-2.12-1.132.el6_5.9.i686.rpm\nglibc-static-2.12-1.132.el6_5.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional TUS (v. 6.5):\n\nSource:\nglibc-2.12-1.132.el6_5.9.src.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.i686.rpm\nglibc-debuginfo-common-2.12-1.132.el6_5.9.x86_64.rpm\nglibc-static-2.12-1.132.el6_5.9.i686.rpm\nglibc-static-2.12-1.132.el6_5.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 6.6):\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.12.i686.rpm\nglibc-static-2.12-1.149.el6_6.12.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional TUS (v. 6.6):\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.12.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.12.i686.rpm\nglibc-static-2.12-1.149.el6_6.12.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional EUS (v. 6.7):\n\ni386:\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-static-2.12-1.166.el6_7.8.i686.rpm\n\nppc64:\nglibc-debuginfo-2.12-1.166.el6_7.8.ppc.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.ppc.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.ppc64.rpm\nglibc-static-2.12-1.166.el6_7.8.ppc.rpm\nglibc-static-2.12-1.166.el6_7.8.ppc64.rpm\n\ns390x:\nglibc-debuginfo-2.12-1.166.el6_7.8.s390.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.s390x.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.s390.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.s390x.rpm\nglibc-static-2.12-1.166.el6_7.8.s390.rpm\nglibc-static-2.12-1.166.el6_7.8.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.i686.rpm\nglibc-debuginfo-common-2.12-1.166.el6_7.8.x86_64.rpm\nglibc-static-2.12-1.166.el6_7.8.i686.rpm\nglibc-static-2.12-1.166.el6_7.8.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode EUS (v. 7.2):\n\nSource:\nglibc-2.17-106.el7_2.9.src.rpm\n\nx86_64:\nglibc-2.17-106.el7_2.9.i686.rpm\nglibc-2.17-106.el7_2.9.x86_64.rpm\nglibc-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-devel-2.17-106.el7_2.9.i686.rpm\nglibc-devel-2.17-106.el7_2.9.x86_64.rpm\nglibc-headers-2.17-106.el7_2.9.x86_64.rpm\nglibc-utils-2.17-106.el7_2.9.x86_64.rpm\nnscd-2.17-106.el7_2.9.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional EUS (v. 7.2):\n\nx86_64:\nglibc-debuginfo-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-static-2.17-106.el7_2.9.i686.rpm\nglibc-static-2.17-106.el7_2.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server EUS (v. 7.2):\n\nSource:\nglibc-2.17-106.el7_2.9.src.rpm\n\nppc64:\nglibc-2.17-106.el7_2.9.ppc.rpm\nglibc-2.17-106.el7_2.9.ppc64.rpm\nglibc-common-2.17-106.el7_2.9.ppc64.rpm\nglibc-debuginfo-2.17-106.el7_2.9.ppc.rpm\nglibc-debuginfo-2.17-106.el7_2.9.ppc64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc64.rpm\nglibc-devel-2.17-106.el7_2.9.ppc.rpm\nglibc-devel-2.17-106.el7_2.9.ppc64.rpm\nglibc-headers-2.17-106.el7_2.9.ppc64.rpm\nglibc-utils-2.17-106.el7_2.9.ppc64.rpm\nnscd-2.17-106.el7_2.9.ppc64.rpm\n\nppc64le:\nglibc-2.17-106.el7_2.9.ppc64le.rpm\nglibc-common-2.17-106.el7_2.9.ppc64le.rpm\nglibc-debuginfo-2.17-106.el7_2.9.ppc64le.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc64le.rpm\nglibc-devel-2.17-106.el7_2.9.ppc64le.rpm\nglibc-headers-2.17-106.el7_2.9.ppc64le.rpm\nglibc-utils-2.17-106.el7_2.9.ppc64le.rpm\nnscd-2.17-106.el7_2.9.ppc64le.rpm\n\ns390x:\nglibc-2.17-106.el7_2.9.s390.rpm\nglibc-2.17-106.el7_2.9.s390x.rpm\nglibc-common-2.17-106.el7_2.9.s390x.rpm\nglibc-debuginfo-2.17-106.el7_2.9.s390.rpm\nglibc-debuginfo-2.17-106.el7_2.9.s390x.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.s390.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.s390x.rpm\nglibc-devel-2.17-106.el7_2.9.s390.rpm\nglibc-devel-2.17-106.el7_2.9.s390x.rpm\nglibc-headers-2.17-106.el7_2.9.s390x.rpm\nglibc-utils-2.17-106.el7_2.9.s390x.rpm\nnscd-2.17-106.el7_2.9.s390x.rpm\n\nx86_64:\nglibc-2.17-106.el7_2.9.i686.rpm\nglibc-2.17-106.el7_2.9.x86_64.rpm\nglibc-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-devel-2.17-106.el7_2.9.i686.rpm\nglibc-devel-2.17-106.el7_2.9.x86_64.rpm\nglibc-headers-2.17-106.el7_2.9.x86_64.rpm\nglibc-utils-2.17-106.el7_2.9.x86_64.rpm\nnscd-2.17-106.el7_2.9.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional EUS (v. 7.2):\n\nppc64:\nglibc-debuginfo-2.17-106.el7_2.9.ppc.rpm\nglibc-debuginfo-2.17-106.el7_2.9.ppc64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc64.rpm\nglibc-static-2.17-106.el7_2.9.ppc.rpm\nglibc-static-2.17-106.el7_2.9.ppc64.rpm\n\nppc64le:\nglibc-debuginfo-2.17-106.el7_2.9.ppc64le.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.ppc64le.rpm\nglibc-static-2.17-106.el7_2.9.ppc64le.rpm\n\ns390x:\nglibc-debuginfo-2.17-106.el7_2.9.s390.rpm\nglibc-debuginfo-2.17-106.el7_2.9.s390x.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.s390.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.s390x.rpm\nglibc-static-2.17-106.el7_2.9.s390.rpm\nglibc-static-2.17-106.el7_2.9.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-2.17-106.el7_2.9.x86_64.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.i686.rpm\nglibc-debuginfo-common-2.17-106.el7_2.9.x86_64.rpm\nglibc-static-2.17-106.el7_2.9.i686.rpm\nglibc-static-2.17-106.el7_2.9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2017-1000366\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/security/vulnerabilities/stackguard\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFZSDV3XlSAg2UNWIIRAibeAKC2QtxViqngTTBVM9fvG1XjRCkgwACgrHP1\nPVr1sUH9RUhxrQOKQqWtnKY=\n=ywUB\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. For the full details, please refer to their advisory\npublished at:\nhttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 2.19-18+deb8u10. \n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.24-11+deb9u1. \n\nFor the unstable distribution (sid), this problem will be fixed soon. \n\nWe recommend that you upgrade your glibc packages. \n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201706-19\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: GNU C Library: Multiple vulnerabilities\n Date: June 20, 2017\n Bugs: #608698, #608706, #622220\n ID: 201706-19\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in the GNU C Library, the\nworst of which may allow execution of arbitrary code. \n\nBackground\n==========\n\nThe GNU C library is the standard C library used by Gentoo Linux\nsystems. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll GNU C Library users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=sys-libs/glibc-2.23-r4\"\n\nReferences\n==========\n\n[ 1 ] CVE-2015-5180\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5180\n[ 2 ] CVE-2016-6323\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6323\n[ 3 ] CVE-2017-1000366\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000366\n[ 4 ] Qualys Security Advisory - The Stack Clash\n https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201706-19\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2017 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n\n\n--cxbO5eT2swQBqr8k9tc6wcfapgLAJb4xR--\n\n. \nQualys Security Advisory\n\nThe Stack Clash\n\n\n========================================================================\nContents\n========================================================================\n\nI. Introduction\nII. Problem\n II.1. Automatic stack expansion\n II.2. Stack guard-page\n II.3. Stack-clash exploitation\nIII. Solutions\nIV. Results\n IV.1. Linux\n IV.2. OpenBSD\n IV.3. NetBSD\n IV.4. FreeBSD\n IV.5. Solaris\nV. Acknowledgments\n\n\n========================================================================\nI. Introduction\n========================================================================\n\nOur research started with a 96-megabyte surprise:\n\nb97bb000-b97dc000 rw-p 00000000 00:00 0 [heap]\nbf7c6000-bf806000 rw-p 00000000 00:00 0 [stack]\n\nand a 12-year-old question: \"If the heap grows up, and the stack grows\ndown, what happens when they clash? Is it exploitable? How?\"\n\n- In 2005, Gael Delalleau presented \"Large memory management\n vulnerabilities\" and the first stack-clash exploit in user-space\n (against mod_php 4.3.0 on Apache 2.0.53):\n\n http://cansecwest.com/core05/memory_vulns_delalleau.pdf\n\n- In 2010, Rafal Wojtczuk published \"Exploiting large memory management\n vulnerabilities in Xorg server running on Linux\", the second\n stack-clash exploit in user-space (CVE-2010-2240):\n\n http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf\n\n- Since 2010, security researchers have exploited several stack-clashes\n in the kernel-space; for example:\n\n https://jon.oberheide.org/blog/2010/11/29/exploiting-stack-overflows-in-the-linux-kernel/\n https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf\n https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html\n\nIn user-space, however, this problem has been greatly underestimated;\nthe only public exploits are Gael Delalleau\u0027s and Rafal Wojtczuk\u0027s, and\nthey were written before Linux introduced a protection against\nstack-clashes (a \"guard-page\" mapped below the stack):\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2240\n\nIn this advisory, we show that stack-clashes are widespread in\nuser-space, and exploitable despite the stack guard-page; we discovered\nmultiple vulnerabilities in guard-page implementations, and devised\ngeneral methods for:\n\n- \"Clashing\" the stack with another memory region: we allocate memory\n until the stack reaches another memory region, or until another memory\n region reaches the stack;\n\n- \"Jumping\" over the stack guard-page: we move the stack-pointer from\n the stack and into the other memory region, without accessing the\n stack guard-page;\n\n- \"Smashing\" the stack, or the other memory region: we overwrite the\n stack with the other memory region, or the other memory region with\n the stack. \n\nTo illustrate our findings, we developed the following exploits and\nproofs-of-concepts:\n\n- a local-root exploit against Exim (CVE-2017-1000369, CVE-2017-1000376)\n on i386 Debian;\n\n- a local-root exploit against Sudo (CVE-2017-1000367, CVE-2017-1000366)\n on i386 Debian, Ubuntu, CentOS;\n\n- an independent Sudoer-to-root exploit against CVE-2017-1000367 on any\n SELinux-enabled distribution;\n\n- a local-root exploit against ld.so and most SUID-root binaries\n (CVE-2017-1000366, CVE-2017-1000370) on i386 Debian, Fedora, CentOS;\n\n- a local-root exploit against ld.so and most SUID-root PIEs\n (CVE-2017-1000366, CVE-2017-1000371) on i386 Debian, Ubuntu, Fedora;\n\n- a local-root exploit against /bin/su (CVE-2017-1000366,\n CVE-2017-1000365) on i386 Debian;\n\n- a proof-of-concept that gains eip control against Sudo on i386\n grsecurity/PaX (CVE-2017-1000367, CVE-2017-1000366, CVE-2017-1000377);\n\n- a local proof-of-concept that gains rip control against Exim\n (CVE-2017-1000369) on amd64 Debian;\n\n- a local-root exploit against ld.so and most SUID-root binaries\n (CVE-2017-1000366, CVE-2017-1000379) on amd64 Debian, Ubuntu, Fedora,\n CentOS;\n\n- a proof-of-concept against /usr/bin/at on i386 OpenBSD, for\n CVE-2017-1000372 in OpenBSD\u0027s stack guard-page implementation and\n CVE-2017-1000373 in OpenBSD\u0027s qsort() function;\n\n- a proof-of-concept for CVE-2017-1000374 and CVE-2017-1000375 in\n NetBSD\u0027s stack guard-page implementation;\n\n- a proof-of-concept for CVE-2017-1085 in FreeBSD\u0027s setrlimit()\n RLIMIT_STACK implementation;\n\n- two proofs-of-concept for CVE-2017-1083 and CVE-2017-1084 in FreeBSD\u0027s\n stack guard-page implementation;\n\n- a local-root exploit against /usr/bin/rsh (CVE-2017-3630,\n CVE-2017-3629, CVE-2017-3631) on Solaris 11. \n\n\n========================================================================\nII. Problem\n========================================================================\n\nNote: in this advisory, the \"start of the stack\" is the lowest address\nof its memory region, and the \"end of the stack\" is the highest address\nof its memory region; we do not use the ambiguous terms \"top of the\nstack\" and \"bottom of the stack\". \n\n========================================================================\nII.1. Automatic stack expansion\n========================================================================\n\nThe user-space stack of a process is automatically expanded by the\nkernel:\n\n- if the stack-pointer (the esp register, on i386) reaches the start of\n the stack and the unmapped memory pages below (the stack grows down,\n on i386),\n\n- then a \"page-fault\" exception is raised and caught by the kernel,\n\n- and the page-fault handler transparently expands the user-space stack\n of the process (it decreases the start address of the stack),\n\n- or it terminates the process with a SIGSEGV if the stack expansion\n fails (for example, if the RLIMIT_STACK is reached). \n\nUnfortunately, this stack expansion mechanism is implicit and fragile:\nit relies on page-fault exceptions, but if another memory region is\nmapped directly below the stack, then the stack-pointer can move from\nthe stack into the other memory region without raising a page-fault,\nand:\n\n- the kernel cannot tell that the process needed more stack memory;\n\n- the process cannot tell that its stack-pointer moved from the stack\n into another memory region. \n\nIn contrast, the heap expansion mechanism is explicit and robust: the\nprocess uses the brk() system-call to tell the kernel that it needs more\nheap memory, and the kernel expands the heap accordingly (it increases\nthe end address of the heap memory region -- the heap always grows up). \n\n========================================================================\nII.2. Stack guard-page\n========================================================================\n\nThe fragile stack expansion mechanism poses a security threat: if the\nstack-pointer of a process can move from the stack into another memory\nregion (which ends exactly where the stack starts) without raising a\npage-fault, then:\n\n- the process uses this other memory region as if it were an extension\n of the stack;\n\n- a write to this stack extension smashes the other memory region;\n\n- a write to the other memory region smashes the stack extension. \n\nTo protect against this security threat, the kernel maps a \"guard-page\"\nbelow the start of the stack: one or more PROT_NONE pages (or unmappable\npages) that:\n\n- raise a page-fault exception if accessed (before the stack-pointer can\n move from the stack into another memory region);\n\n- terminate the process with a SIGSEGV (because the page-fault handler\n cannot expand the stack if another memory region is mapped directly\n below). \n\nUnfortunately, a stack guard-page of a few kilobytes is insufficient\n(CVE-2017-1000364): if the stack-pointer \"jumps\" over the guard-page --\nif it moves from the stack into another memory region without accessing\nthe guard-page -- then no page-fault exception is raised and the stack\nextends into the other memory region. \n\nThis theoretical vulnerability was first described in Gael Delalleau\u0027s\n2005 presentation (slides 24-29). In the present advisory, we discuss\nits practicalities, and multiple vulnerabilities in stack guard-page\nimplementations (in OpenBSD, NetBSD, and FreeBSD), but we exclude\nrelated vulnerabilities such as unbounded alloca()s and VLAs\n(Variable-Length Arrays) that have been exploited in the past:\n\nhttp://phrack.org/issues/63/14.html\nhttp://blog.exodusintel.com/2013/01/07/who-was-phone/\n\n========================================================================\nII.3. Stack-clash exploitation\n========================================================================\n\n Must be a clash, there\u0027s no alternative. \n --The Clash, \"Kingston Advice\"\n\nOur exploits follow a series of four sequential steps -- each step\nallocates memory that must not be freed before all steps are complete:\n\nStep 1: Clash (the stack with another memory region)\nStep 2: Run (move the stack-pointer to the start of the stack)\nStep 3: Jump (over the stack guard-page, into the other memory region)\nStep 4: Smash (the stack, or the other memory region)\n\n========================================================================\nII.3.1. Step 1: Clash the stack with another memory region\n========================================================================\n\n Have the boys found the leak yet?\n --The Clash, \"The Leader\"\n\nAllocate memory until the start of the stack reaches the end of another\nmemory region, or until the end of another memory region reaches the\nstart of the stack. \n\n- The other memory region can be, for example:\n . the heap;\n . an anonymous mmap();\n . the read-write segment of ld.so;\n . the read-write segment of a PIE, a Position-Independent Executable. \n\n- The memory allocated in this Step 1 can be, for example:\n . stack and heap memory;\n . stack and anonymous mmap() memory;\n . stack memory only. \n\n- The heap and anonymous mmap() memory can be:\n\n . temporarily allocated, but not freed before the stack guard-page is\n jumped over in Step 3 and memory is smashed in Step 4;\n\n . permanently leaked. On Linux, a general method for allocating\n anonymous mmap()s is the LD_AUDIT memory leak that we discovered in\n the ld.so part of the glibc, the GNU C Library (CVE-2017-1000366). \n\n- The stack memory can be allocated, for example:\n\n . through megabytes of command-line arguments and environment\n variables. \n\n On Linux, this general method for allocating stack memory is limited\n by the kernel to 1/4 of the current RLIMIT_STACK (1GB on i386 if\n RLIMIT_STACK is RLIM_INFINITY -- man execve, \"Limits on size of\n arguments and environment\"). \n\n However, as we were drafting this advisory, we realized that the\n kernel imposes this limit on the argument and environment strings,\n but not on the argv[] and envp[] pointers to these strings, and we\n developed alternative versions of our Linux exploits that do not\n depend on application-specific memory leaks (CVE-2017-1000365). through recursive function calls. \n\n On BSD, we discovered a general method for allocating megabytes of\n stack memory: a vulnerability in qsort() that causes this function\n to recurse N/4 times, given a pathological input array of N elements\n (CVE-2017-1000373 in OpenBSD, CVE-2017-1000378 in NetBSD, and\n CVE-2017-1082 in FreeBSD). \n\n- In a few rare cases, Step 1 is not needed, because another memory\n region is naturally mapped directly below the stack (for example,\n ld.so in our Solaris exploit). \n\n========================================================================\nII.3.2. Step 2: Move the stack-pointer to the start of the stack\n========================================================================\n\n Run, run, run, run, run, don\u0027t you know?\n --The Clash, \"Three Card Trick\"\n\nConsume the unused stack memory that separates the stack-pointer from\nthe start of the stack. This Step 2 is similar to Step 3 (\"Jump over the\nstack guard-page\") but is needed because:\n\n- the stack-pointer is usually several kilobytes higher than the start\n of the stack (functions that allocate a large stack-frame decrease the\n start address of the stack, but this address is never increased\n again); moreover:\n\n . the FreeBSD kernel automatically expands the user-space stack of a\n process by multiples of 128KB (SGROWSIZ, in vm_map_growstack());\n\n . the Linux kernel initially expands the user-space stack of a process\n by 128KB (stack_expand, in setup_arg_pages()). \n\n- in Step 3, the stack-based buffer used to jump over the guard-page:\n\n . is usually not large enough to simultaneously move the stack-pointer\n to the start of the stack, and then into another memory region;\n\n . must not be fully written to (a full write would access the stack\n guard-page and terminate the process) but the stack memory consumed\n in this Step 2 can be fully written to (for example, strdupa() can\n be used in Step 2, but not in Step 3). \n\nThe stack memory consumed in this Step 2 can be, for example:\n\n- large stack-frames, alloca()s, or VLAs (which can be detected by\n grsecurity/PaX\u0027s STACKLEAK plugin for GCC,\n https://grsecurity.net/features.php);\n\n- recursive function calls (which can be detected by GNU cflow,\n http://www.gnu.org/software/cflow/);\n\n- on Linux, we discovered that the argv[] and envp[] arrays of pointers\n can be used to consume the 128KB of initial stack expansion, because\n the kernel allocates these arrays on the stack long after the call to\n setup_arg_pages(); this general method for completing Step 2 is\n exploitable locally, but the initial stack expansion poses a major\n obstacle to the remote exploitation of stack-clashes, as mentioned in\n IV.1.1. \n\nIn a few rare cases, Step 2 is not needed, because the stack-pointer is\nnaturally close to the start of the stack (for example, in Exim\u0027s main()\nfunction, the 256KB group_list[] moves the stack-pointer to the start of\nthe stack and beyond). \n\n========================================================================\nII.3.3. Step 3: Jump over the stack guard-page, into another memory\nregion\n========================================================================\n\n You need a little jump of electrical shockers. \n --The Clash, \"Clash City Rockers\"\n\nMove the stack-pointer from the stack and into the memory region that\nclashed with the stack in Step 1, but without accessing the guard-page. \nTo complete this Step 3, a large stack-based buffer, alloca(), or VLA is\nneeded, and:\n\n- it must be larger than the guard-page;\n\n- it must end in the stack, above the guard-page;\n\n- it must start in the memory region below the stack guard-page;\n\n- it must not be fully written to (a full write would access the\n guard-page, raise a page-fault exception, and terminate the process,\n because the memory region mapped directly below the stack prevents the\n page-fault handler from expanding the stack). \n\nIn a few cases, Step 3 is not needed:\n\n- on FreeBSD, a stack guard-page is implemented but disabled by default\n (CVE-2017-1083);\n\n- on OpenBSD, NetBSD, and FreeBSD, we discovered implementation\n vulnerabilities that eliminate the stack guard-page (CVE-2017-1000372,\n CVE-2017-1000374, CVE-2017-1084). \n\nOn Linux, we devised general methods for jumping over the stack\nguard-page (CVE-2017-1000366):\n\n- The glibc\u0027s __dcigettext() function alloca()tes single_locale, a\n stack-based buffer of up to 128KB (MAX_ARG_STRLEN, man execve), the\n length of the LANGUAGE environment variable (if the current locale is\n neither \"C\" nor \"POSIX\", but distributions install default locales\n such as \"C.UTF-8\" and \"en_US.utf8\"). \n\n If LANGUAGE is mostly composed of \u0027:\u0027 characters, then single_locale\n is barely written to, and can be used to jump over the stack\n guard-page. \n\n Moreover, if __dcigettext() finds the message to be translated, then\n _nl_find_msg() strdup()licates the OUTPUT_CHARSET environment variable\n and allows a local attacker to immediately smash the stack and gain\n control of the instruction pointer (the eip register, on i386), as\n detailed in Step 4a. \n\n We exploited this stack-clash against Sudo and su, but most of the\n SUID (set-user-ID) and SGID (set-group-ID) binaries that call\n setlocale(LC_ALL, \"\") and __dcigettext() or its derivatives (the\n *gettext() functions, the _() convenience macro, the strerror()\n function) are exploitable. \n\n- The glibc\u0027s vfprintf() function (called by the *printf() family of\n functions) alloca()tes a stack-based work buffer of up to 64KB\n (__MAX_ALLOCA_CUTOFF) if a width or precision is greater than 1KB\n (WORK_BUFFER_SIZE). \n\n If the corresponding format specifier is %s then this work buffer is\n never written to and can be used to jump over the stack guard-page. \n\n None of our exploits is based on this method, but it was one of our\n ideas to exploit Exim remotely, as mentioned in IV.1.1. \n\n- The glibc\u0027s getaddrinfo() function calls gaih_inet(), which\n alloca()tes tmpbuf, a stack-based buffer of up to 64KB\n (__MAX_ALLOCA_CUTOFF) that may be used to jump over the stack\n guard-page. \n\n Moreover, gaih_inet() calls the gethostbyname*() functions, which\n malloc()ate a heap-based DNS response of up to 64KB (MAXPACKET) that\n may allow a remote attacker to immediately smash the stack, as\n detailed in Step 4a. \n\n None of our exploits is based on this method, but it may be the key to\n the remote exploitation of stack-clashes. \n\n- The glibc\u0027s run-time dynamic linker ld.so alloca()tes llp_tmp, a\n stack-based copy of the LD_LIBRARY_PATH environment variable. If\n LD_LIBRARY_PATH contains Dynamic String Tokens (DSTs), they are first\n expanded: llp_tmp can be larger than 128KB (MAX_ARG_STRLEN) and not\n fully written to, and can therefore be used to jump over the stack\n guard-page and smash the memory region mapped directly below, as\n detailed in Step 4b. \n\n We exploited this ld.so stack-clash in two data-only attacks that\n bypass NX (No-eXecute) and ASLR (Address Space Layout Randomization)\n and obtain a privileged shell through most SUID and SGID binaries on\n most i386 Linux distributions. \n\n- Several local and remote applications allocate a 256KB stack-based\n \"gid_t buffer[NGROUPS_MAX];\" that is not fully written to and can be\n used to move the stack-pointer to the start of the stack (Step 2) and\n jump over the guard-page (Step 3). For example, Exim\u0027s main() function\n and older versions of util-linux\u0027s su. \n\n None of our exploits is based on this method, but an experimental\n version of our Exim exploit unexpectedly gained control of eip after\n the group_list[] buffer had jumped over the stack guard-page. \n\n========================================================================\nII.3.4. Step 4: Either smash the stack with another memory region (Step\n4a) or smash another memory region with the stack (Step 4b)\n========================================================================\n\n Smash and grab, it\u0027s that kind of world. \n --The Clash, \"One Emotion\"\n\nIn Step 3, a function allocates a large stack-based buffer and jumps\nover the stack guard-page into the memory region mapped directly below;\nin Step 4, before this function returns and jumps back into the stack:\n\n- Step 4a: a write to the memory region mapped below the stack (where\n esp still points to) effectively smashes the stack. We exploit this\n general method for completing Step 4 in Exim, Sudo, and su:\n\n . we overwrite a return-address on the stack and gain control of eip;\n\n . we return-into-libc (into system() or __libc_dlopen()) to defeat NX;\n\n . we brute-force ASLR (8 bits of entropy) if CVE-2016-3672 is patched;\n\n . we bypass SSP (Stack-Smashing Protector) because we overwrite the\n return-address of a function that is not protected by a stack canary\n (the memcpy() that smashes the stack usually overwrites its own\n stack-frame and return-address). \n\n- Step 4b: a write to the stack effectively smashes the memory region\n mapped below (where esp still points to). This second method for\n completing Step 4 is application-specific (it depends on the contents\n of the memory region that we smash) unless we exploit the run-time\n dynamic linker ld.so:\n\n . on Solaris, we devised a general method for smashing ld.so\u0027s\n read-write segment, overwriting one of its function pointers, and\n executing our own shell-code;\n\n . on Linux, we exploited most SUID and SGID binaries through ld.so:\n our \"hwcap\" exploit smashes an mmap()ed string, and our \".dynamic\"\n exploit smashes a PIE\u0027s read-write segment before it is mprotect()ed\n read-only by Full RELRO (Full RELocate Read-Only -- GNU_RELRO and\n BIND_NOW). \n\n\n========================================================================\nIII. Solutions\n========================================================================\n\nBased on our research, we recommend that the affected operating systems:\n\n- Increase the size of the stack guard-page to at least 1MB, and allow\n system administrators to easily modify this value (for example,\n grsecurity/PaX introduced /proc/sys/vm/heap_stack_gap in 2010). \n\n This first, short-term solution is cheap, but it can be defeated by a\n very large stack-based buffer. \n\n- Recompile all userland code (ld.so, libraries, binaries) with GCC\u0027s\n \"-fstack-check\" option, which prevents the stack-pointer from moving\n into another memory region without accessing the stack guard-page (it\n writes one word to every 4KB page allocated on the stack). \n\n This second, long-term solution is expensive, but it cannot be\n defeated (even if the stack guard-page is only 4KB, one page) --\n unless a vulnerability is discovered in the implementation of the\n stack guard-page or the \"-fstack-check\" option. \n\n\n========================================================================\nIV. Results\n========================================================================\n\n========================================================================\nIV.1. Linux\n========================================================================\n\n========================================================================\nIV.1.1. Exim\n========================================================================\n\nDebian 8.5\n\nCrude exploitation\n\nOur first exploit, a Local Privilege Escalation against Exim\u0027s SUID-root\nPIE (Position-Independent Executable) on i386 Debian 8.5, simply follows\nthe four sequential steps outlined in II.3. \n\nStep 1: Clash the stack with the heap\n\nTo reach the start of the stack with the end of the heap (man brk), we\npermanently leak memory through multiple -p command-line arguments that\nare malloc()ated by Exim but never free()d (CVE-2017-1000369) -- we call\nsuch a malloc()ated chunk of heap memory a \"memleak-chunk\". \n\nBecause the -p argument strings are originally allocated on the stack by\nexecve(), we must cover half of the initial heap-stack distance (between\nthe start of the heap and the end of the stack) with stack memory, and\nhalf of this distance with heap memory. \n\nIf we set the RLIMIT_STACK to 136MB (MIN_GAP, arch/x86/mm/mmap.c) then\nthe initial heap-stack distance is minimal (randomized in a [96MB,137MB]\nrange), but we cannot reach the stack with the heap because of the 1/4\nlimit imposed by the kernel on the argument and environment strings (man\nexecve): 136MB/4=34MB of -p argument strings cannot cover 96MB/2=48MB,\nhalf of the minimum heap-stack distance. \n\nMoreover, if we increase the RLIMIT_STACK, the initial heap-stack\ndistance also increases and we still cannot reach the stack with the\nheap. However, if we set the RLIMIT_STACK to RLIM_INFINITY (4GB on i386)\nthen the kernel switches from the default top-down mmap() layout to a\nlegacy bottom-up mmap() layout, and:\n\n- the initial heap-stack distance is approximately 2GB, because the\n start of the heap (the initial brk()) is randomized above the address\n 0x40000000, and the end of the stack is randomized below the address\n 0xC0000000;\n\n- we can reach the stack with the heap, despite the 1/4 limit imposed by\n the kernel on the argument and environment strings, because 4GB/4=1GB\n of -p argument strings can cover 2GB/2=1GB, half of the initial\n heap-stack distance;\n\n- we clash the stack with the heap around the address 0x80000000. \n\nStep 2: Move the stack-pointer (esp) to the start of the stack\n\nThe 256KB stack-based group_list[] in Exim\u0027s main() naturally consumes\nthe 128KB of initial stack expansion, as mentioned in II.3.2. \n\nStep 3: Jump over the stack guard-page and into the heap\n\nTo move esp from the start of the stack into the heap, without accessing\nthe stack guard-page, we use a malformed -d command-line argument that\nis written to the 32KB (STRING_SPRINTF_BUFFER_SIZE) stack-based buffer\nin Exim\u0027s string_sprintf() function. This buffer is not fully written to\nand hence does not access the stack guard-page, because our -d argument\nstring is much shorter than 32KB. \n\nStep 4a: Smash the stack with the heap\n\nBefore string_sprintf() returns (and moves esp from the heap back into\nthe stack) it calls string_copy(), which malloc()ates and memcpy()es our\n-d argument string to the end of the heap, where esp still points to --\nwe call this malloc()ated chunk of heap memory the \"smashing-chunk\". \n\nThis call to memcpy() therefore smashes its own stack-frame (which is\nnot protected by SSP) with the contents of our smashing-chunk, and we\noverwrite memcpy()\u0027s return-address with the address of libc\u0027s system()\nfunction (which is not randomized by ASLR because Debian 8.5 is\nvulnerable to CVE-2016-3672):\n\n- instead of smashing memcpy()\u0027s stack-frame with an 8-byte pattern (the\n return-address to system() and its argument) we smash it with a simple\n 4-byte pattern (the return-address to system()), append \".\" to the\n PATH environment variable, and symlink() our exploit to the string\n that begins at the address of libc\u0027s system() function;\n\n- system() does not drop our escalated root privileges, because Debian\u0027s\n /bin/sh is dash, not bash and its -p option (man bash). \n\nThis first version of our Exim exploit obtained a root-shell after\nnearly a week of failed attempts; to improve this result, we analyzed\nevery step of a successful run. \n\nRefined exploitation\n\nStep 1: Clash the stack with the heap\n\n+ The heap must be able to reach the stack [Condition 1]\n\nThe start of the heap is randomized in the 32MB range above the end of\nExim\u0027s PIE (the end of its .bss section), but the growth of the heap is\nsometimes blocked by libraries that are mmap()ed within the same range\n(because of the legacy bottom-up mmap() layout). On Debian 8.5, Exim\u0027s\nlibraries occupy about 8MB and thus block the growth of the heap with a\nprobability of 8MB/32MB = 1/4. \n\nWhen the heap is blocked by the libraries, malloc() switches from brk()\nto mmap()s of 1MB (MMAP_AS_MORECORE_SIZE), and our memory leak reaches\nthe stack with mmap()s instead of the heap. Such a stack-clash is also\nexploitable, but its probability of success is low, as detailed in\nIV.1.6., and we therefore discarded this approach. \n\n+ The heap must always reach the stack, when not blocked by libraries\n\nBecause the initial heap-stack distance (between the start of the heap\nand the end of the stack) is a random variable:\n\n- either we allocate the exact amount of heap memory to cover the mean\n heap-stack distance, but the probability of success of this approach\n is low and we therefore discarded it;\n\n- or we allocate enough heap memory to always reach the stack, even when\n the initial heap-stack distance is maximal; after the heap reaches the\n stack, our memory leak allocates mmap()s of 1MB above the stack (below\n 0xC0000000) and below the heap (above the libraries), but it must not\n exhaust the address-space (the 1GB below 0x40000000 is unmappable);\n\n- the final heap-stack distance (between the end of the heap and the\n start of the stack) is also a random variable:\n\n . its minimum value is 8KB (the stack guard-page, plus a safety page\n imposed by the brk() system-call in mm/mmap.c);\n\n . its maximum value is roughly the size of a memleak-chunk, plus 128KB\n (DEFAULT_TOP_PAD, malloc/malloc.c). \n\nStep 3: Jump over the stack guard-page and into the heap\n\n- The stack-pointer must jump over the guard-page and land into the free\n chunk at the end of the heap (the remainder of the heap after malloc()\n switches from brk() to mmap()), where both the smashing-chunk and\n memcpy()\u0027s stack-frame are allocated and overwritten in Step 4a\n [Condition 2];\n\n- The write (of approximately smashing-chunk bytes) to\n string_sprintf()\u0027s stack-based buffer (which starts where the\n guard-page jump lands) must not crash into the end of the heap\n [Condition 3]. \n\nStep 4a: Smash the stack with the heap\n\nThe smashing-chunk must be allocated into the free chunk at the end of\nthe heap:\n\n- the smashing-chunk must not be allocated into the free chunks left\n over at the end of the 1MB mmap()s [Condition 4];\n\n- the memleak-chunks must not be allocated into the free chunk at the\n end of the heap [Condition 5]. \n\nIntuitively, the probability of gaining control of eip depends on the\nsize of the smashing-chunk (the guard-page jump\u0027s landing-zone) and the\nsize of the memleak-chunks (which determines the final heap-stack\ndistance). \n\nTo maximize this probability, we wrote a helper program that imposes the\nfollowing conditions on the smashing-chunk and memleak-chunks:\n\n- the smashing-chunk must be smaller than 32KB\n (STRING_SPRINTF_BUFFER_SIZE) [Condition 3];\n\n- the memleak-chunks must be smaller than 128KB (DEFAULT_MMAP_THRESHOLD,\n malloc/malloc.c);\n\n- the free chunk at the end of the heap must be larger than twice the\n smashing-chunk size [Conditions 2 and 3];\n\n- the free chunk at the end of the heap must be smaller than the\n memleak-chunk size [Condition 5];\n\n- when the final heap-stack distance is minimal, the 32KB\n (STRING_SPRINTF_BUFFER_SIZE) guard-page jump must land below the free\n chunk at the end of the heap [Condition 2];\n\n- the free chunks at the end of the 1MB mmap()s must be:\n\n . either smaller than the smashing-chunk [Condition 4];\n\n . or larger than the free chunk at the end of the heap (glibc\u0027s\n malloc() is a best-fit allocator) [Condition 4]. \n\nThe resulting smashing-chunk and memleak-chunk sizes are:\n\nsmash: 10224 memleak: 27656 brk_min: 20464 brk_max: 24552 mmap_top: 25304\nprobability: 1/16 (0.06190487817)\n\nIn theory, the probability of gaining control of eip is 1/21: the\nproduct of the 1/16 probability calculated by this helper program\n(approximately (smashing-chunk / (memleak-chunk + DEFAULT_TOP_PAD))) and\nthe 3/4 probability of reaching the stack with the heap [Condition 1]. \n\nIn practice, on Debian 8.5, our final Exim exploit:\n\n- gains eip control in 1 run out of 28, on average;\n\n- takes 2.5 seconds per run (on a 4GB Virtual Machine);\n\n- has a good chance of obtaining a root-shell after 28*2.5 = 70 seconds;\n\n- uses 4GB of memory (2GB in the Exim process, and 2GB in the process\n fork()ed by system()). \n\nDebian 8.6\n\nUnlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672: after\ngaining eip control in Step 4a (Smash), the probability of successfully\nreturning-into-libc\u0027s system() function is 1/256 (8 bits of entropy --\nlibraries are randomized in a 1MB range but aligned on 4KB). \n\nConsequently, our final Exim exploit has a good chance of obtaining a\nroot-shell on Debian 8.6 after 256*28*2.5 seconds = 5 hours (256*28=7168\nruns). \n\nAs we were drafting this advisory, we tried an alternative approach\nagainst Exim on Debian 8.6: we discovered that its stack is executable,\nbecause it depends on libgnutls-deb0, which depends on libp11-kit, which\ndepends on libffi, which incorrectly requires an executable GNU_STACK\n(CVE-2017-1000376). \n\nInitially, we discarded this approach because our 1GB of -p argument\nstrings on the stack is not executable (_dl_make_stack_executable() only\nmprotect()s the stack below argv[] and envp[]):\n\n41e00000-723d7000 rw-p 00000000 00:00 0 [heap]\n802f1000-80334000 rwxp 00000000 00:00 0 [stack]\n80334000-bfce6000 rw-p 00000000 00:00 0\n\nand because the stack is randomized in an 8MB range but we do not\ncontrol the contents of any large buffer on the executable stack. \n\nLater, we discovered that two 128KB (MAX_ARG_STRLEN) copies of the\nLD_PRELOAD environment variable can be allocated onto the executable\nstack by ld.so\u0027s dl_main() and open_path() functions, automatically\nfreed upon return from these functions, and re-allocated (but not\noverwritten) by Exim\u0027s 256KB stack-based group_list[]. \n\nIn theory, the probability of returning into our shell-code (into these\nexecutable copies of LD_PRELOAD) is 1/32 (2*128KB/8MB), higher than the\n1/256 probability of returning-into-libc. In practice, this alternative\nExim exploit has a good chance of obtaining a root-shell after 1174 runs\n-- instead of 32*28=896 runs in theory, because the two 128KB copies of\nLD_PRELOAD are never perfectly aligned with Exim\u0027s 256KB group_list[] --\nor 1174*2.5 seconds = 50 minutes. \n\nDebian 9 and 10\n\nUnlike Debian 8, Debian 9 and 10 are not vulnerable to offset2lib, a\nminor weakness in Linux\u0027s ASLR that coincidentally affects Step 1\n(Clash) of our stack-clash exploits:\n\nhttps://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1fd836dcf00d2028c700c7e44d2c23404062c90\n\nIf we set RLIMIT_STACK to RLIM_INFINITY, the kernel still switches to\nthe legacy bottom-up mmap() layout, and the libraries are randomized in\nthe 1MB range above the address 0x40000000, but Exim\u0027s PIE is randomized\nin the 1MB range above the address 0x80000000 and the heap is randomized\nin the 32MB range above the PIE\u0027s .bss section. As a result:\n\n- the heap is always able to reach the stack, because its growth is\n never blocked by the libraries -- the theoretical probability of\n gaining eip control is 1/16, the probability calculated by our helper\n program;\n\n- the heap clashes with the stack around the address 0xA0000000, because\n the initial heap-stack distance is 1GB (0xC0000000-0x80000000) and can\n be covered with 512MB of heap memory and 512MB of stack memory. \n\nRemote exploitation\n\nExim\u0027s string_sprintf() or glibc\u0027s vfprintf() can be used to remotely\ncomplete Steps 3 and 4 of the stack-clash; and the 256KB group_list[] in\nExim\u0027s main() naturally consumes the 128KB of initial stack expansion in\nStep 2; but another 256KB group_list[] in Exim\u0027s exim_setugid() further\ndecreases the start address of the stack and prevents us from remotely\ncompleting Step 2 and exploiting Exim. \n\n========================================================================\nIV.1.2. Sudo\n========================================================================\n\nIntroduction\n\nWe discovered a vulnerability in Sudo\u0027s get_process_ttyname() for Linux:\nthis function opens \"/proc/[pid]/stat\" (man proc) and reads the device\nnumber of the tty from field 7 (tty_nr). Unfortunately, these fields are\nspace-separated and field 2 (comm, the filename of the command) can\ncontain spaces (CVE-2017-1000367). \n\nFor example, if we execute Sudo through the symlink \"./ 1 \",\nget_process_ttyname() calls sudo_ttyname_dev() to search for the\nnon-existent tty device number \"1\" in the built-in search_devs[]. \n\nNext, sudo_ttyname_dev() calls the recursive function\nsudo_ttyname_scan() to search for this non-existent tty device number\n\"1\" in a breadth-first traversal of \"/dev\". \n\nLast, we exploit this recursive function during its traversal of the\nworld-writable \"/dev/shm\", and allocate hundreds of megabytes of heap\nmemory from the filesystem (directory pathnames) instead of the stack\n(the command-line arguments and environment variables allocated by our\nother stack-clash exploits). \n\nStep 1: Clash the stack with the heap\n\nsudo_ttyname_scan() strdup()licates the pathnames of the directories and\nsub-directories that it traverses, but does not free() them until it\nreturns. Each one of these \"memleak-chunks\" allocates at most 4KB\n(PATH_MAX) of heap memory. \n\nStep 2: Move the stack-pointer to the start of the stack\n\nThe recursive calls to sudo_ttyname_scan() allocate 4KB (PATH_MAX)\nstack-frames that naturally consume the 128KB of initial stack\nexpansion. \n\nStep 3: Jump over the stack guard-page and into the heap\n\nIf the length of a directory pathname reaches 4KB (PATH_MAX),\nsudo_ttyname_scan() calls warning(), which calls strerror() and _(),\nwhich call gettext() and allow us to jump over the stack guard-page with\nan alloca() of up to 128KB (the LANGUAGE environment variable), as\nexplained in II.3.3. \n\nStep 4a: Smash the stack with the heap\n\nThe self-contained gettext() exploitation method malloc()ates and\nmemcpy()es a \"smashing-chunk\" of up to 128KB (the OUTPUT_CHARSET\nenvironment variable) that smashes memcpy()\u0027s stack-frame and\nreturn-address, as explained in II.3.4. \n\nDebian 8.5\n\nStep 1: Clash the stack with the heap\n\nDebian 8.5 is vulnerable to CVE-2016-3672: if we set RLIMIT_STACK to\nRLIM_INFINITY, the kernel switches to the legacy bottom-up mmap() layout\nand disables the ASLR of Sudo\u0027s PIE and libraries, but still the initial\nheap-stack distance is randomized and roughly 2GB (0xC0000000-0x40000000\n-- the start of the heap is randomized in a 32MB range above 0x40000000,\nand the end of the stack is randomized in the 8MB range below\n0xC0000000). \n\nTo reach the start of the stack with the end of the heap, we allocate\nhundreds of megabytes of heap memory from the filesystem (directory\npathnames), and:\n\n- the heap must be able to reach the stack -- on Debian 8.5, Sudo\u0027s\n libraries occupy about 3MB and hence block the growth of the heap with\n a probability of 3MB/32MB ~= 1/11;\n\n- when not blocked by the libraries, the heap must always reach the\n stack, even when the initial heap-stack distance is maximal (as\n detailed in IV.1.1.);\n\n- we cover half of the initial heap-stack distance with 1GB of heap\n memory (the memleak-chunks, strdup()licated directory pathnames);\n\n- we cover the other half of this distance with 1GB of stack memory (the\n maximum permitted by the kernel\u0027s 1/4 limit on the argument and\n environment strings) and thus reduce our on-disk inode usage;\n\n- we redirect sudo_ttyname_scan()\u0027s traversal of /dev to /var/tmp\n (through a symlink planted in /dev/shm) to work around the small\n number of inodes available in /dev/shm. \n\nAfter the heap reaches the stack and malloc() switches from brk() to\nmmap()s of 1MB:\n\n- the size of the free chunk left over at the end of the heap is a\n random variable in the [0B,4KB] range -- 4KB (PATH_MAX) is the\n approximate size of a memleak-chunk;\n\n- the final heap-stack distance (between the end of the heap and the\n start of the stack) is a random variable in the [8KB,4KB+128KB=132KB]\n range -- the size of a memleak-chunk plus 128KB (DEFAULT_TOP_PAD);\n\n- sudo_ttyname_scan() recurses a few more times and therefore allocates\n more stack memory, but this stack expansion is blocked by the heap and\n crashes into the stack guard-page after 16 recursions on average\n (132KB/4KB/2, where 132KB is the maximum final heap-stack distance,\n and 4KB is the size of sudo_ttyname_scan()\u0027s stack-frame). \n\nTo solve this unexpected problem, we:\n\n- first, redirect sudo_ttyname_scan() to a directory tree \"A\" in\n /var/tmp that recurses and allocates stack memory, but does not\n allocate heap memory (each directory level contains only one entry,\n the sub-directory that is connected to the next directory level);\n\n- second, redirect sudo_ttyname_scan() to a directory tree \"B\" in\n /var/tmp that recurses and allocates heap memory (each directory level\n contains many entries), but does not allocate more stack memory (it\n simply consumes the stack memory that was already allocated by the\n directory tree \"A\"): it does not further expand the stack, and does\n not crash into the guard-page. \n\nFinally, we increase the speed of our exploit and avoid thousands of\nuseless recursions:\n\n- in each directory level traversed by sudo_ttyname_scan(), we randomly\n modify the names of its sub-directories until the first call to\n readdir() returns the only sub-directory that is connected to the next\n level of the directory tree (all other sub-directories allocate heap\n memory but are otherwise empty);\n\n- we dup2() Sudo\u0027s stdout and stderr to a pipe with no readers that\n terminates Sudo with a SIGPIPE if sudo_ttyname_scan() calls warning()\n and sudo_printf() (a failed exploit attempt, usually because the final\n heap-stack distance is much longer or shorter than the guard-page\n jump). \n\nStep 2: Move the stack-pointer to the start of the stack\n\nsudo_ttyname_scan() allocates a 4KB (PATH_MAX) stack-based pathbuf[]\nthat naturally consumes the 128KB of initial stack expansion in fewer\nthan 128KB/4KB=32 recursive calls. \n\nThe recursive calls to sudo_ttyname_scan() allocate less than 8MB of\nstack memory: the maximum number of recursions (PATH_MAX / strlen(\"/a\")\n= 2K) multiplied by the size of sudo_ttyname_scan()\u0027s stack-frame (4KB). \n\nStep 3: Jump over the stack guard-page and into the heap\n\nThe length of the guard-page jump in gettext() is the length of the\nLANGUAGE environment variable (at most 128KB, MAX_ARG_STRLEN): we take a\n64KB jump, well within the range of the final heap-stack distance; this\njump then lands into the free chunk at the end of the heap, where the\nsmashing-chunk will be allocated in Step 4a, with a probability of\n(smashing-chunk / (memleak-chunk + DEFAULT_TOP_PAD)). \n\nIf available, we assign \"C.UTF-8\" to the LC_ALL environment variable,\nand prepend \"be\" to our 64KB LANGUAGE environment variable, because\nthese minimal locales do not interfere with our heap feng-shui. \n\nStep 4a: Smash the stack with the heap\n\nIn gettext(), the smashing-chunk (a malloc() and memcpy() of the\nOUTPUT_CHARSET environment variable) must be allocated into the free\nchunk at the end of the heap, where the stack-frame of memcpy() is also\nallocated. \n\nFirst, if the size of our memleak-chunks is exactly 4KB+8B\n(PATH_MAX+MALLOC_ALIGNMENT), then:\n\n- the size of the free chunk at the end of the heap is a random variable\n in the [0B,4KB] range;\n\n- the size of the free chunks left over at the end of the 1MB mmap()s is\n roughly 1MB%(4KB+8B)=2KB. \n\nSecond, if the size of our smashing-chunk is about 2KB+256B\n(PATH_MAX/2+NAME_MAX), then:\n\n- it is always larger than (and never allocated into) the free chunks at\n the end of the 1MB mmap()s;\n\n- it is smaller than (and allocated into) the free chunk at the end of\n the heap with a probability of roughly 1-(2KB+256B)/4KB. \n\nLast, in each level of our directory tree \"B\", sudo_ttyname_scan()\nmalloc()ates and realloc()ates an array of pointers to sub-directories,\nbut these realloc()s prevent the smashing-chunk from being allocated\ninto the free chunk at the end of the heap:\n\n- they create holes in the heap, where the smashing-chunk may be\n allocated to;\n\n- they may allocate the free chunk at the end of the heap, where the\n smashing-chunk should be allocated to. \n\nTo solve these problems, we carefully calculate the number of\nsub-directories in each level of our directory tree \"B\":\n\n- we limit the size of the realloc()s -- and hence the size of the holes\n that they create -- to 4KB+2KB:\n\n . either a memleak-chunk is allocated into such a hole, and the\n remainder is smaller than the smashing-chunk (\"not a fit\");\n\n . or such a hole is not allocated, but it is larger than the largest\n free chunk at the end of the heap (\"a worse fit\");\n\n- we gradually reduce the final size of the realloc()s in the last\n levels of our directory tree \"B\", and hence re-allocate the holes\n created in the previous levels. \n\nIn theory, on Debian 8.5, the probability of gaining control of eip is\napproximately 1/148, the product of:\n\n- (Step 1) the probability of reaching the stack with the heap:\n 1-3MB/32MB;\n\n- (Step 3) the probability of jumping over the stack guard-page and into\n the free chunk at the end of the heap: (2KB+256B) / (4KB+8B + 128KB);\n\n- (Step 4a) the probability of allocating the smashing-chunk into the\n free chunk at the end of the heap: 1-(2KB+256B)/4KB. \n\nIn practice, on Debian 8.5, this Sudo exploit:\n\n- gains eip control in 1 run out of 200, on average;\n\n- takes 2.8 seconds per run (on a 4GB Virtual Machine);\n\n- has a good chance of obtaining a root-shell after 200 * 2.8 seconds =\n 9 minutes;\n\n- uses 2GB of memory. \n\nNote: we do not return-into-libc\u0027s system() in Step 4a because /bin/sh\nmay be bash, which drops our escalated root privileges upon execution. \nInstead, we:\n\n- either return-into-libc\u0027s __gconv_find_shlib() function through\n find_module(), which loads this function\u0027s argument from -0x20(%ebp);\n\n- or return-into-libc\u0027s __libc_dlopen_mode() function through\n nss_load_library(), which loads this function\u0027s argument from\n -0x1c(%ebp);\n\n- search the libc for a relative pathname that contains a slash\n character (for example, \"./fork.c\") and pass its address to\n __gconv_find_shlib() or __libc_dlopen_mode();\n\n- symlink() our PIE exploit to this pathname, and let Sudo execute our\n _init() constructor as root, upon successful exploitation. \n\nDebian 8.6\n\nUnlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672: Sudo\u0027s\nPIE and libraries are always randomized, even if we set RLIMIT_STACK to\nRLIM_INFINITY; the probability of successfully returning-into-libc,\nafter gaining eip control in Step 4a (Smash), is 1/256. \n\nHowever, Debian 8.6 is still vulnerable to offset2lib, the minor\nweakness in Linux\u0027s ASLR that coincidentally affects Step 1 (Clash) of\nour stack-clash exploits:\n\n- if we set RLIMIT_STACK to 136MB (MIN_GAP) or less (the default is\n 8MB), then the initial heap-stack distance (between the start of the\n heap and the end of the stack) is minimal, a random variable in the\n [96MB,137MB] range;\n\n- instead of allocating 1GB of heap memory and 1GB of stack memory to\n clash the stack with the heap, we merely allocate 137MB of heap memory\n (directory pathnames from our directory tree \"B\") and no stack memory. \n\nIn theory, on Debian 8.6, the probability of gaining eip control is\n1/134 (instead of 1/148 on Debian 8.5) because the growth of the heap is\nnever blocked by Sudo\u0027s libraries; and in practice, this Sudo exploit\ntakes only 0.15 second per run (instead of 2.8 on Debian 8.5). \n\nIndependent exploitation\n\nThe vulnerability that we discovered in Sudo\u0027s get_process_ttyname()\nfunction for Linux (CVE-2017-1000367) is exploitable independently of\nits stack-clash repercussions: through this vulnerability, a local user\ncan pretend that his tty is any character device on the filesystem, and\nafter two race conditions, he can pretend that his tty is any file on\nthe filesystem. \n\nOn an SELinux-enabled system, if a user is Sudoer for a command that\ndoes not grant him full root privileges, he can overwrite any file on\nthe filesystem (including root-owned files) with this command\u0027s output,\nbecause relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK)\non his tty and dup2()s it to the command\u0027s stdin, stdout, and stderr. \n\nTo exploit this vulnerability, we:\n\n- create a directory \"/dev/shm/_tmp\" (to work around\n /proc/sys/fs/protected_symlinks), and a symlink \"/dev/shm/_tmp/_tty\"\n to a non-existent pty \"/dev/pts/57\", whose device number is 34873;\n\n- run Sudo through a symlink \"/dev/shm/_tmp/ 34873 \" that spoofs the\n device number of this non-existent pty;\n\n- set the flag CD_RBAC_ENABLED through the command-line option \"-r role\"\n (where \"role\" can be our current role, for example \"unconfined_r\");\n\n- monitor our directory \"/dev/shm/_tmp\" (for an IN_OPEN inotify event)\n and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot\n find our non-existent pty in \"/dev/pts/\");\n\n- SIGSTOP Sudo, call openpty() until it creates our non-existent pty,\n and SIGCONT Sudo;\n\n- monitor our directory \"/dev/shm/_tmp\" (for an IN_CLOSE_NOWRITE inotify\n event) and wait until Sudo closedir()s it;\n\n- SIGSTOP Sudo, replace the symlink \"/dev/shm/_tmp/_tty\" to our\n now-existent pty with a symlink to the file that we want to overwrite\n (for example \"/etc/passwd\"), and SIGCONT Sudo;\n\n- control the output of the command executed by Sudo (the output that\n overwrites \"/etc/passwd\"):\n\n . either through a command-specific method;\n\n . or through a general method such as \"--\\nHELLO\\nWORLD\\n\" (by\n default, getopt() prints an error message to stderr if it does not\n recognize an option character). \n\nTo reliably win the two SIGSTOP races, we preempt the Sudo process: we\nsetpriority() it to the lowest priority, sched_setscheduler() it to\nSCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit. \n\n[john@localhost ~]$ head -n 8 /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\n\n[john@localhost ~]$ sudo -l\n[sudo] password for john:\n... \nUser john may run the following commands on localhost:\n (ALL) /usr/bin/sum\n\n[john@localhost ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $\u0027--\\nHELLO\\nWORLD\\n\u0027\n[sudo] password for john:\n\n[john@localhost ~]$ head -n 8 /etc/passwd\n/usr/bin/sum: unrecognized option \u0027--\nHELLO\nWORLD\n\u0027\nTry \u0027/usr/bin/sum --help\u0027 for more information. \nogin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n\n========================================================================\nIV.1.3. ld.so \"hwcap\" exploit\n========================================================================\n\n\"ld.so and ld-linux.so* find and load the shared libraries needed by a\nprogram, prepare the program to run, and then run it.\" (man ld.so)\n\nThrough ld.so, most SUID and SGID binaries on most i386 Linux\ndistributions are exploitable. For example: Debian 7, 8, 9, 10; Fedora\n23, 24, 25; CentOS 5, 6, 7. \n\nDebian 8.5\n\nStep 1: Clash the stack with anonymous mmap()s\n\nThe minimal malloc() implementation in ld.so calls mmap(), not brk(), to\nobtain memory from the system, and it never calls munmap(). To reach the\nstart of the stack with anonymous mmap()s, we:\n\n- set RLIMIT_STACK to RLIM_INFINITY and switch from the default top-down\n mmap() layout to the legacy bottom-up mmap() layout;\n\n- cover half of the initial mmap-stack distance\n (0xC0000000-0x40000000=2GB) with 1GB of stack memory (the maximum\n permitted by the kernel\u0027s 1/4 limit on the argument and environment\n strings);\n\n- cover the other half of this distance with 1GB of anonymous mmap()s,\n through multiple LD_AUDIT environment variables that permanently leak\n millions of audit_list structures (CVE-2017-1000366) in\n process_envvars() and process_dl_audit() (elf/rtld.c). \n\nStep 2: Move the stack-pointer to the start of the stack\n\nTo consume the 128KB of initial stack expansion, we simply pass 128KB of\nargv[] and envp[] pointers to execve(), as explained in II.3.2. \n\nStep 3: Jump over the stack guard-page and into the anonymous mmap()s\n\n_dl_init_paths() (elf/dl-load.c), which is called by dl_main() after\nprocess_envvars(), alloca()tes llp_tmp, a stack-based buffer large\nenough to hold the LD_LIBRARY_PATH environment variable and any\ncombination of Dynamic String Token (DST) replacement strings. To\ncalculate the size of llp_tmp, _dl_init_paths() must:\n\n- first, scan LD_LIBRARY_PATH and count all DSTs ($LIB, $PLATFORM, and\n $ORIGIN);\n\n- second, multiply the number of DSTs by the length of the longest DST\n replacement string (on Debian, $LIB is replaced by the 18-char-long\n \"lib/i386-linux-gnu\", $PLATFORM by \"i386\" or \"i686\", and $ORIGIN by\n the pathname of the program\u0027s directory, for example \"/bin\" or\n \"/usr/sbin\" -- the longest DST replacement string is usually\n \"lib/i386-linux-gnu\");\n\n- last, add the length of the original LD_LIBRARY_PATH. \n\nConsequently, if LD_LIBRARY_PATH contains many DSTs that are replaced by\nthe shortest DST replacement string, then llp_tmp is large but not fully\nwritten to, and can be used to jump over the stack guard-page and into\nthe anonymous mmap()s. \n\nOur ld.so exploits do not use $ORIGIN because it is ignored by several\ndistributions and glibc versions; for example:\n\n2010-12-09 Andreas Schwab \u003cschwab@redhat.com\u003e\n\n * elf/dl-object.c (_dl_new_object): Ignore origin of privileged\n program. \n\nIndex: glibc-2.12-2-gc4ccff1/elf/dl-object.c\n===================================================================\n--- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c\n+++ glibc-2.12-2-gc4ccff1/elf/dl-object.c\n@@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch\n out:\n new-\u003el_origin = origin;\n }\n+ else if (INTUSE(__libc_enable_secure) \u0026\u0026 type == lt_executable)\n+ /* The origin of a privileged program cannot be trusted. */\n+ new-\u003el_origin = (char *) -1;\n\n return new;\n }\n\nStep 4b: Smash an anonymous mmap() with the stack\n\nBefore _dl_init_paths() returns to dl_main() and jumps back from the\nanonymous mmap()s into the stack, we overwrite the block of mmap()ed\nmemory malloc()ated by _dl_important_hwcaps() with the contents of the\nstack-based buffer llp_tmp. \n\n- The block of memory malloc()ated by _dl_important_hwcaps() is divided\n in two:\n\n . The first part (the \"hwcap-pointers\") is an array of r_strlenpair\n structures that point to the hardware-capability strings stored in\n the second part of this memory block. The second part (the \"hwcap-strings\") contains strings of\n hardware-capabilities that are appended to the pathnames of trusted\n directories, such as \"/lib/\" and \"/lib/i386-linux-gnu/\", when\n open_path() searches for audit libraries (LD_AUDIT), preload\n libraries (LD_PRELOAD), or dependent libraries (DT_NEEDED). \n\n For example, on Debian, when open_path() finds \"libc.so.6\" in\n \"/lib/i386-linux-gnu/i686/cmov/\", \"i686/cmov/\" is such a\n hardware-capability string. \n\n- To overwrite the block of memory malloc()ated by\n _dl_important_hwcaps() with the contents of the stack-based buffer\n llp_tmp, we divide our LD_LIBRARY_PATH environment variable in two:\n\n . The first, static part (our \"good-write\") overwrites the first\n hardware-capability string with characters that we do control. The second, dynamic part (our \"bad-write\") overwrites the last\n hardware-capability strings with characters that we do not control\n (the short DST replacement strings that enlarge llp_tmp and allow us\n to jump over the stack guard-page). \n\nIf our 16-byte-aligned good-write overwrites the 8-byte-aligned first\nhardware-capability string with the 8-byte pattern \"/../tmp/\", and if we\nappend the trusted directory \"/lib\" to our LD_LIBRARY_PATH, then (after\n_dl_init_paths() returns to dl_main()):\n\n- dlmopen_doit() tries to load an LD_AUDIT library \"a\" (our memory leak\n from Step 1);\n\n- _dl_map_object() searches for \"a\" in the trusted directory \"/lib\" from\n our LD_LIBRARY_PATH;\n\n- open_path() finds our library \"a\" in \"/lib//../tmp//../tmp//../tmp/\"\n because we overwrote the first hardware-capability string with the\n pattern \"/../tmp/\";\n\n- dl_open_worker() executes our library\u0027s _init() constructor, as root. \n\nIn theory, this exploit\u0027s probability of success depends on:\n\n- (event A) the size of rtld_search_dirs.dirs[0], an array of\n r_search_path_elem structures that are malloc()ated by\n _dl_init_paths() after the _dl_important_hwcaps(), and must be\n allocated above the stack (below 0xC0000000), not below the stack\n where it would interfere with Steps 3 (Jump) and 4b (Smash):\n\nP(A) = 1 - size of rtld_search_dirs.dirs[0] / max stack randomization\n\n- (event B) the size of the hwcap-pointers and the size of our\n good-write, which must overwrite the first hardware-capability string,\n but not the first hardware-capability pointer (to this string):\n\nP(B|A) = MIN(size of hwcap-pointers, size of good-write) /\n (max stack randomization - size of rtld_search_dirs.dirs[0])\n\n- (event C) the size of the hwcap-strings and the size of our bad-write,\n which must not write past the end of hwcap-strings; but we guarantee\n that size of hwcap-strings \u003e= size of good-write + size of bad-write:\n\nP(C|B) = 1\n\nIn practice, we use the LD_HWCAP_MASK environment variable to maximize\nthis exploit\u0027s probability of success, because:\n\n- the size of the hwcap-pointers -- which act as a cushion that absorbs\n the excess of good-write without crashing,\n\n- the size of the hwcap-strings -- which act as a cushion that absorbs\n the excess of good-write and bad-write without crashing,\n\n- and the size of rtld_search_dirs.dirs[0],\n\nare all proportional to 2^N, where N is the number of supported\nhardware-capabilities that we enable in LD_HWCAP_MASK. \n\nFor example, on Debian 8.5, this exploit:\n\n- has a 1/151 probability of success;\n\n- takes 5.5 seconds per run (on a 4GB Virtual Machine);\n\n- has a good chance of obtaining a root-shell after 151 * 5.5 seconds =\n 14 minutes. \n\nDebian 8.6\n\nUnlike Debian 8.5, Debian 8.6 is not vulnerable to CVE-2016-3672, but\nour ld.so \"hwcap\" exploit is a data-only attack and is not affected by\nthe ASLR of the libraries and PIEs. \n\nDebian 9 and 10\n\nUnlike Debian 8, Debian 9 and 10 are not vulnerable to offset2lib: if we\nset RLIMIT_STACK to RLIM_INFINITY, the libraries are randomized above\nthe address 0x40000000, but the PIE is randomized above 0x80000000\n(instead of 0x40000000 before the offset2lib patch). \n\nUnfortunately, we discovered a vulnerability in the offset2lib patch\n(CVE-2017-1000370): if the PIE is execve()d with 1GB of argument or\nenvironment strings (the maximum permitted by the kernel\u0027s 1/4 limit)\nthen the stack occupies the address 0x80000000, and the PIE is mapped\nabove the address 0x40000000 instead, directly below the libraries. \nThis vulnerability effectively nullifies the offset2lib patch, and\nallows us to reuse our Debian 8 exploit against Debian 9 and 10. \n\n$ ./Linux_offset2lib\nRun #1... \nCVE-2017-1000370 triggered\n40076000-40078000 r-xp 00000000 00:26 25041 /tmp/Linux_offset2lib\n40078000-40079000 r--p 00001000 00:26 25041 /tmp/Linux_offset2lib\n40079000-4009b000 rw-p 00002000 00:26 25041 /tmp/Linux_offset2lib\n4009b000-400c0000 r-xp 00000000 fd:00 8463588 /usr/lib/ld-2.24.so\n400c0000-400c1000 r--p 00024000 fd:00 8463588 /usr/lib/ld-2.24.so\n400c1000-400c2000 rw-p 00025000 fd:00 8463588 /usr/lib/ld-2.24.so\n400c2000-400c4000 r--p 00000000 00:00 0 [vvar]\n400c4000-400c6000 r-xp 00000000 00:00 0 [vdso]\n400c6000-400c8000 rw-p 00000000 00:00 0\n400cf000-402a3000 r-xp 00000000 fd:00 8463595 /usr/lib/libc-2.24.so\n402a3000-402a4000 ---p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so\n402a4000-402a6000 r--p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so\n402a6000-402a7000 rw-p 001d6000 fd:00 8463595 /usr/lib/libc-2.24.so\n402a7000-402aa000 rw-p 00000000 00:00 0\n7fcf1000-bfcf2000 rw-p 00000000 00:00 0 [stack]\n\nCaveats\n\n- On Fedora and CentOS, this ld.so \"hwcap\" exploit fails against\n /usr/bin/passwd and /usr/bin/chage (but it works against all other\n SUID-root binaries) because of SELinux:\n\ntype=AVC msg=audit(1492091008.983:414): avc: denied { execute } for pid=2169 comm=\"passwd\" path=\"/var/tmp/a\" dev=\"dm-0\" ino=12828063 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0\n\ntype=AVC msg=audit(1492092997.581:487): avc: denied { execute } for pid=2648 comm=\"chage\" path=\"/var/tmp/a\" dev=\"dm-0\" ino=12828063 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0\n\n- It fails against recent versions of Sudo that specify an RPATH such as\n \"/usr/lib/sudo\": _dl_map_object() first searches for our LD_AUDIT\n library in RPATH, but open_path() fails to find our library in\n \"/usr/lib/sudo//../tmp/\" and crashes as soon as it reaches an\n overwritten hwcap-pointer. \n\n This problem can be solved by a 16-byte pattern \"///../../../tmp/\"\n (instead of the 8-byte pattern \"/../tmp/\") but the exploit\u0027s\n probability of success would be divided by two. \n\n- On Ubuntu, this ld.so \"hwcap\" exploit always fails, because of the\n following patch:\n\nDescription: pro-actively disable LD_AUDIT for setuid binaries, regardless\n of where the libraries are loaded from. This is to try to make sure that\n CVE-2010-3856 cannot sneak back in. Upstream is unlikely to take this,\n since it limits the functionality of LD_AUDIT. \nAuthor: Kees Cook \u003ckees@ubuntu.com\u003e\n\nIndex: eglibc-2.15/elf/rtld.c\n===================================================================\n--- eglibc-2.15.orig/elf/rtld.c 2012-05-09 10:05:29.456899131 -0700\n+++ eglibc-2.15/elf/rtld.c 2012-05-09 10:38:53.952009069 -0700\n@@ -2529,7 +2529,7 @@\n while ((p = (strsep) (\u0026str, \":\")) != NULL)\n if (p[0] != \u0027\\0\u0027\n \u0026\u0026 (__builtin_expect (! __libc_enable_secure, 1)\n- || strchr (p, \u0027/\u0027) == NULL))\n+ ))\n {\n /* This is using the local malloc, not the system malloc. The\n memory can never be freed. */\n\n========================================================================\nIV.1.4. ld.so \".dynamic\" exploit\n========================================================================\n\nTo exploit ld.so without the LD_AUDIT memory leak, we rely on a second\nvulnerability that we discovered in the offset2lib patch\n(CVE-2017-1000371):\n\nif we set RLIMIT_STACK to RLIM_INFINITY, and allocate nearly 1GB of\nstack memory (the maximum permitted by the kernel\u0027s 1/4 limit on the\nargument and environment strings) then the stack grows down to almost\n0x80000000, and because the PIE is mapped above 0x80000000, the minimum\ndistance between the end of the PIE\u0027s read-write segment and the start\nof the stack is 4KB (the stack guard-page). \n\n$ ./Linux_offset2lib 0x3f800000\nRun #1... \nRun #2... \nRun #3... \nRun #796... \nRun #797... \nRun #798... \nCVE-2017-1000371 triggered\n4007b000-400a0000 r-xp 00000000 fd:00 8463588 /usr/lib/ld-2.24.so\n400a0000-400a1000 r--p 00024000 fd:00 8463588 /usr/lib/ld-2.24.so\n400a1000-400a2000 rw-p 00025000 fd:00 8463588 /usr/lib/ld-2.24.so\n400a2000-400a4000 r--p 00000000 00:00 0 [vvar]\n400a4000-400a6000 r-xp 00000000 00:00 0 [vdso]\n400a6000-400a8000 rw-p 00000000 00:00 0\n400af000-40283000 r-xp 00000000 fd:00 8463595 /usr/lib/libc-2.24.so\n40283000-40284000 ---p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so\n40284000-40286000 r--p 001d4000 fd:00 8463595 /usr/lib/libc-2.24.so\n40286000-40287000 rw-p 001d6000 fd:00 8463595 /usr/lib/libc-2.24.so\n40287000-4028a000 rw-p 00000000 00:00 0\n8000a000-8000c000 r-xp 00000000 00:26 25041 /tmp/Linux_offset2lib\n8000c000-8000d000 r--p 00001000 00:26 25041 /tmp/Linux_offset2lib\n8000d000-8002f000 rw-p 00002000 00:26 25041 /tmp/Linux_offset2lib\n80030000-bf831000 rw-p 00000000 00:00 0 [heap]\n\nNote: in this example, the \"[stack]\" is incorrectly displayed as the\n\"[heap]\" by show_map_vma() (in fs/proc/task_mmu.c). \n\nThis completes Step 1: we clash the stack with the PIE\u0027s read-write\nsegment; we complete the remaining steps as in the \"hwcap\" exploit:\n\n- Step 2: we consume the initial stack expansion with 128KB of argv[]\n and envp[] pointers;\n\n- Step 3: we jump over the stack guard-page and into the PIE\u0027s\n read-write segment with llp_tmp\u0027s alloca() (in _dl_init_paths());\n\n- Step 4b: we smash the PIE\u0027s read-write segment with llp_tmp\u0027s\n good-write and bad-write (in _dl_init_paths()); we can smash the\n following sections:\n\n + .data and .bss: but we discarded this application-specific approach;\n\n + .got: although protected by Full RELRO (Full RELocate Read-Only,\n GNU_RELRO and BIND_NOW) the .got is still writable when we smash it\n in _dl_init_paths(); however, within ld.so, the .got is written to\n but never read from, and we therefore discarded this approach;\n\n + .dynamic: our favored approach. \n\nOn i386, the .dynamic section is an array of Elf32_Dyn structures (an\nint32 d_tag, and the union of uint32 d_val and uint32 d_ptr) that\ncontains entries such as:\n\n- DT_STRTAB, a pointer to the PIE\u0027s .dynstr section (a read-only string\n table): its d_tag (DT_STRTAB) is read (by elf_get_dynamic_info())\n before we smash it in _dl_init_paths(), but its d_ptr is read (by\n _dl_map_object_deps()) after we smash it in _dl_init_paths();\n\n- DT_NEEDED, an offset into the .dynstr section: the pathname of a\n dependent library that must be loaded by _dl_map_object_deps(). \n\nIf we overwrite the entire .dynamic section with the following 8-byte\npattern (an Elf32_Dyn structure):\n\n- a DT_NEEDED d_tag,\n\n- a d_val equal to half the address of our own string table on the stack\n (16MB of argument strings, enough to defeat the 8MB stack\n randomization),\n\nthen _dl_map_object_deps() reads the pathname of this dependent library\nfrom DT_STRTAB.d_ptr + DT_NEEDED.d_val = our_strtab/2 + our_strtab/2 =\nour_strtab, and loads our own library, as root. This 8-byte pattern is\nsimple, but poses two problems:\n\n- DT_NEEDED is an int32 equal to 1, but we smash the .dynamic section\n with a string copy that cannot contain null-bytes: to solve this first\n problem we use DT_AUXILIARY instead, which is equivalent but equal to\n 0x7ffffffd;\n\n- ld.so crashes before it returns from dl_main() (before it calls\n _dl_init() and executes our library\u0027s _init() constructor):\n\n . in _dl_map_object_deps() because of our DT_AUXILIARY entry;\n\n . in version_check_doit() because we overwrote the DT_VERNEED entry;\n\n . in _dl_relocate_object() because we overwrote the DT_REL, DT_RELSZ,\n and DT_RELCOUNT entries. \n\nTo solve this second problem, we could overwrite the .dynamic section\nwith a more complicated pattern that repairs these entries, but our\nexploit\u0027s probability of success would decrease significantly. \n\nInstead, we take control of ld.so\u0027s execution flow as soon as\n_dl_map_object_deps() loads our library:\n\n- our library contains three executable LOAD segments,\n\n- but only the first and last segments are sanity-checked by\n _dl_map_object_from_fd() and _dl_map_segments(),\n\n- and all segments except the first are mmap()ed with MAP_FIXED by\n _dl_map_segments(),\n\n- so we can mmap() our second segment anywhere -- we mmap() it on top of\n ld.so\u0027s executable segment,\n\n- and return into our own code (instead of ld.so\u0027s) as soon as this\n second mmap() system-call returns. \n\nProbabilities\n\nThe \"hwcap\" exploit taught us that this \".dynamic\" exploit\u0027s probability\nof success depends on:\n\n- the size of the cushion below the .dynamic section, which can absorb\n the excess of \"good-write\" without crashing: the padding bytes between\n the start of the PIE\u0027s read-write segment and the start of its first\n read-write section;\n\n- the size of the cushion above the .dynamic section, which can absorb\n the excess of \"good-write\" and \"bad-write\" without crashing: the .got,\n .data, and .bss sections. \n\nIf we guarantee that (cushion above .dynamic \u003e good-write + bad-write),\nthen the theoretical probability of success is approximately:\n\nMIN(cushion below .dynamic, good-write) / max stack randomization\n\nThe maximum size of the cushion below the .dynamic section is 4KB (one\npage) and hence the maximum probability of success is 4KB/8MB=1/2048. \nIn practice, on Ubuntu 16.04.2:\n\n- the highest probability is 1/2589 (/bin/su) and the lowest probability\n is 1/9225 (/usr/lib/eject/dmcrypt-get-device);\n\n- each run uses 1GB of memory and takes 1.5 seconds (on a 4GB Virtual\n Machine);\n\n- this ld.so \".dynamic\" exploit has a good chance of obtaining a\n root-shell after 2589 * 1.5 seconds ~= 1 hour. \n\n========================================================================\nIV.1.5. /bin/su\n========================================================================\n\nAs we were drafting this advisory, we discovered a general method for\ncompleting Step 1 (Clash) of the stack-clash exploitation: the Linux\nkernel limits the size of the command-line arguments and environment\nvariables to 1/4 of the RLIMIT_STACK, but it imposes this limit on the\nargument and environment strings, not on the argv[] and envp[] pointers\nto these strings (CVE-2017-1000365). \n\nOn i386, if we set RLIMIT_STACK to RLIM_INFINITY, the maximum number of\nargv[] and envp[] pointers is 1G (1/4 of the RLIMIT_STACK, divided by\n1B, the minimum size of an argument or environment string). In theory,\nthe maximum size of the initial stack is therefore 1G*(1B+4B)=5GB. In\npractice, this would exhaust the address-space and allows us to clash\nthe stack with the memory region that is mapped below, without an\napplication-specific memory leak. \n\nThis discovery allowed us to write alternative versions of our\nstack-clash exploits; for example:\n\n- an ld.so \"hwcap\" exploit against Ubuntu: we replace the LD_AUDIT\n memory leak with 2GB of stack memory (1GB of argument and environment\n strings, and 1GB of argv[] and envp[] pointers) and replace the\n LD_AUDIT library with an LD_PRELOAD library;\n\n- an ld.so \".dynamic\" exploit against systems vulnerable to offset2lib:\n we reach the end of the PIE\u0027s read-write segment with only 128MB of\n stack memory (argument and environment strings and pointers). \n\nThese proofs-of-concept demonstrate a general method for completing Step\n1 (Clash), but they are much slower than their original versions (10-20\nseconds per run) because they pass millions of argv[] and envp[]\npointers to execve(). \n\nMoreover, this discovery allowed us to exploit SUID binaries through\ngeneral methods that do not depend on application-specific or ld.so\nvulnerabilities; if a SUID binary calls setlocale(LC_ALL, \"\"); and\ngettext() (or a derivative such as strerror() or _()), then it is\nexploitable:\n\n- Step 1: we clash the stack with the heap through millions of argument\n and environment strings and pointers;\n\n- Step 2: we consume the initial stack expansion with 128KB of argument\n and environment pointers;\n\n- Step 3: we jump over the stack guard-page and into the heap with the\n alloca()tion of the LANGUAGE environment variable in gettext();\n\n- Step 4a: we smash the stack with the malloc()ation of the\n OUTPUT_CHARSET environment variable in gettext() and thus gain control\n of eip. \n\nFor example, we exploited Debian\u0027s /bin/su (from the shadow-utils): its\nmain() function calls setlocale() and save_caller_context(), which calls\ngettext() (through _()) if its stdin is not a tty. \n\nDebian 8.5\n\nDebian 8.5 is vulnerable to CVE-2016-3672: we set RLIMIT_STACK to\nRLIM_INFINITY and disable ASLR, clash the stack with the heap through\n2GB of argument and environment strings and pointers (1GB of strings,\n1GB of pointers), and return-into-libc\u0027s system() or __libc_dlopen():\n\n- the system() version uses 4GB of memory (2GB in the /bin/su process,\n and 2GB in the process fork()ed by system());\n\n- the __libc_dlopen() version uses only 2GB of memory, but ebp must\n point to our smashed data on the stack. \n\nDebian 8.6\n\nDebian 8.6 is vulnerable to offset2lib but not to CVE-2016-3672: we must\nbrute-force the libc\u0027s ASLR (8 bits of entropy), but we clash the stack\nwith the heap through only 128MB of argument and environment strings and\npointers -- this /bin/su exploit can be parallelized. \n\n========================================================================\nIV.1.6. Grsecurity/PaX\n========================================================================\n\nhttps://grsecurity.net/\n\nIn 2010, grsecurity/PaX introduced a configurable stack guard-page: its\nsize can be modified through /proc/sys/vm/heap_stack_gap and is 64KB by\ndefault (unlike the hard-coded 4KB stack guard-page in the vanilla\nkernel). \n\nUnfortunately, a 64KB stack guard-page is not large enough, and can be\njumped over with ld.so or gettext() (CVE-2017-1000377); for example, we\nwere able to gain eip control against Sudo, but we were unable to obtain\na root-shell or gain eip control against another application, because\ngrsecurity/PaX imposes the following security measures:\n\n- it restricts the RLIMIT_STACK of SUID binaries to 8MB, which prevents\n us from switching to the legacy bottom-up mmap() layout (Step 1);\n\n- it restricts the argument and environment strings to 512KB, which\n prevents us from clashing the stack through megabytes of command-line\n arguments and environment variables (Step 1);\n\n- it randomizes the PIE and libraries with 16 bits of entropy (instead\n of 8 bits in vanilla), which prevents us from brute-forcing the ASLR\n and returning-into-libc (Step 4a);\n\n- it implements /proc/sys/kernel/grsecurity/deter_bruteforce (enabled by\n default), which limits the number of SUID crashes to 1 every 15\n minutes (all Steps) and makes exploitation impossible. \n\nSudo\n\nThe vulnerability that we discovered in Sudo\u0027s get_process_ttyname()\n(CVE-2017-1000367) allows us to:\n\n- Step 1: clash the stack with 3GB of heap memory from the filesystem\n (directory pathnames) and bypass grsecurity/PaX\u0027s 512KB limit on the\n argument and environment strings;\n\n- Step 2: consume the 128KB of initial stack expansion with 3MB of\n recursive function calls and avoid grsecurity/PaX\u0027s 8MB restriction on\n the RLIMIT_STACK;\n\n- Step 3: jump over grsecurity/PaX\u0027s 64KB stack guard-page with a 128KB\n (MAX_ARG_STRLEN) alloca()tion of the LANGUAGE environment variable in\n gettext();\n\n- Step 4a: smash the stack with a 128KB (MAX_ARG_STRLEN) malloc()ation\n of the OUTPUT_CHARSET environment variable in gettext() -- the\n \"smashing-chunk\" -- and thus gain control of eip. \n\nIn Step 1, we nearly exhaust the address-space until finally malloc()\nswitches from brk() to 1MB mmap()s and reaches the start of the stack\nwith the very last 1MB mmap() that we allocate. The exact amount of\nmemory that we must allocate to reach the stack with our last 1MB mmap()\ndepends on the sum of three random variables: the 256MB randomization of\nthe stack, the 64MB randomization of the heap, and the 1MB randomization\nof the NULL region. \n\nTo maximize the probability of jumping over the stack guard-page, into\nour last 1MB mmap() below the stack, and overwriting a return-address on\nthe stack with our smashing-chunk:\n\n- (Step 1) we must allocate the mean amount of memory to reach the stack\n with our last 1MB mmap(): the sum of three uniform random variables is\n not uniform (https://en.wikipedia.org/wiki/Irwin-Hall_distribution),\n but the values within the 256MB-64MB-1MB=191MB plateau at the center\n of this bell-shaped probability distribution occur with a uniform and\n maximum probability of (1MB*64MB)/(1MB*64MB*256MB)=1/256MB;\n\n- (Step 1) the end of our last 1MB mmap() must be allocated at a\n distance within [stack guard-page (64KB), guard-page jump (128KB)]\n below the start of the stack: the guard-page jump (Step 3) then lands\n at a distance d within [0, guard-page jump - stack guard-page (64KB)]\n below the end of our last 1MB mmap();\n\n- (Step 4a) the end of our smashing-chunk must be allocated at the end\n of our last 1MB mmap(), above the landing-point of the guard-page\n jump: our smashing-chunk then overwrites a return-address on the\n stack, below the landing-point of the guard-page jump. \n\nIn theory, this probability is roughly:\n\nSUM(d = 1; d \u003c guard-page jump - stack guard-page; d++) d / (256MB*1MB)\n\n ~= ((guard-page jump - stack guard-page)^2 / 2) / (256MB*1MB)\n\n ~= 1 / 2^17\n\nIn practice, we tested this Sudo proof-of-concept on an i386 Debian 8.6\nprotected by the linux-grsec package from the jessie-backports, but we\nmanually disabled /proc/sys/kernel/grsecurity/deter_bruteforce:\n\n- it uses 3GB of memory, and 800K on-disk inodes;\n\n- it takes 5.5 seconds per run (on a 4GB Virtual Machine);\n\n- it has a good chance of gaining eip control after 2^17 * 5.5 seconds =\n 200 hours; in our test:\n\nPAX: From 192.168.56.1: execution attempt in: \u003cheap\u003e, 1b068000-a100d000 1b068000\nPAX: terminating task: /usr/bin/sudo( 1 ):25465, uid/euid: 1000/0, PC: 41414141, SP: b8844f30\nPAX: bytes at PC: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41\nPAX: bytes at SP-4: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141\n\nHowever, brute-forcing the ASLR to obtain a root-shell would take ~1500\nyears and makes exploitation impossible. \n\nMoreover, if we enable /proc/sys/kernel/grsecurity/deter_bruteforce,\ngaining eip control would take ~1365 days, and obtaining a root-shell\nwould take thousands of years. \n\n========================================================================\nIV.1.7. 64-bit exploitation\n========================================================================\n\nIntroduction\n\nThe address-space of a 64-bit process is so vast that we initially\nthought it was impossible to clash the stack with another memory region;\nwe were wrong. \n\nLinux\u0027s execve() first randomizes the end of the mmap region (which\ngrows top-down by default) and then randomizes the end of the stack\nregion (which grows down, on x86). On amd64, the initial mmap-stack\ndistance (between the end of the mmap region and the end of the stack\nregion) is minimal when RLIMIT_STACK is lower than or equal to MIN_GAP\n(mmap_base() in arch/x86/mm/mmap.c), and then:\n\n- the end of the mmap region is equal to (as calculated by\n arch_pick_mmap_layout() in arch/x86/mm/mmap.c):\n\n mmap_end = TASK_SIZE - MIN_GAP - arch_mmap_rnd()\n\n where:\n\n . TASK_SIZE is the highest address of the user-space (0x7ffffffff000)\n\n . MIN_GAP = 128MB + stack_maxrandom_size()\n\n . stack_maxrandom_size() is ~16GB (or ~4GB if the kernel is vulnerable\n to CVE-2015-1593, but we do not consider this case here)\n\n . arch_mmap_rnd() is a random variable in the [0B,1TB] range\n\n- the end of the stack region is equal to (as calculated by\n randomize_stack_top() in fs/binfmt_elf.c):\n\n stack_end = TASK_SIZE - \"stack_rand\"\n\n where:\n\n . \"stack_rand\" is a random variable in the [0, stack_maxrandom_size()]\n range\n\n- the initial mmap-stack distance is therefore equal to:\n\n stack_end - mmap_end = MIN_GAP + arch_mmap_rnd() - \"stack_rand\"\n\n = 128MB + stack_maxrandom_size() - \"stack_rand\" + arch_mmap_rnd()\n\n = 128MB + StackRand + MmapRand\n\n where:\n\n . StackRand = stack_maxrandom_size() - \"stack_rand\", a random variable\n in the [0B,16GB] range\n\n . MmapRand = arch_mmap_rnd(), a random variable in the [0B,1TB] range\n\nConsequently, the minimum initial mmap-stack distance is only 128MB\n(CVE-2017-1000379), and:\n\n- On kernels vulnerable to offset2lib, the heap of a PIE (which is\n mapped at the end of the mmap region) is mapped below and close to the\n stack with a good probability (~1/700). We can therefore clash the\n stack with the heap in Step 1, jump over the stack guard-page and into\n the heap in Step 3, and smash the stack with the heap and gain control\n of rip in Step 4a (after 6 hours on average). However, because the\n addresses of all executable regions contain null-bytes, and because\n most of our stack-smashes in Step 4a are string operations (except the\n getaddrinfo() method), we were unable to transform such a rip control\n into arbitrary code execution. \n\n- On all kernels, either a PIE or ld.so is mapped directly below the\n stack with a good probability (~1/17000) -- the end of the PIE\u0027s or\n ld.so\u0027s read-write segment is then equal to the start of the stack\n guard-page. We can therefore adapt our ld.so \"hwcap\" exploit to amd64\n and obtain root privileges through most SUID binaries on most Linux\n distributions (after 5 hours on average). \n\nKernels vulnerable to offset2lib, local Exim proof-of-concept\n\nExim\u0027s binary is usually a PIE, mapped at the end of the mmap region;\nand the heap, which always grows up and is randomized above the end of\nthe binary, is therefore randomized above the end of the mmap region\n(arch_randomize_brk() in arch/x86/kernel/process.c):\n\n heap_start = mmap_end + \"heap_rand\"\n\nwhere \"heap_rand\" is a random variable in the [0B,32MB] range\n(negligible and ignored here). For example, on Debian 8.5:\n\n# cat /proc/\"`pidof -s /usr/sbin/exim4`\"/maps\n... \n7fa6410d6000-7fa6411c8000 r-xp 00000000 08:01 14574 /usr/sbin/exim4\n7fa6413b4000-7fa6413bd000 rw-p 00000000 00:00 0\n7fa6413c5000-7fa6413c7000 rw-p 00000000 00:00 0\n7fa6413c7000-7fa6413c9000 r--p 000f1000 08:01 14574 /usr/sbin/exim4\n7fa6413c9000-7fa6413d2000 rw-p 000f3000 08:01 14574 /usr/sbin/exim4\n7fa6413d2000-7fa6413d7000 rw-p 00000000 00:00 0\n7fa641b34000-7fa641b76000 rw-p 00000000 00:00 0 [heap]\n7ffdf3e53000-7ffdf3ed6000 rw-p 00000000 00:00 0 [stack]\n7ffdf3f3c000-7ffdf3f3e000 r-xp 00000000 00:00 0 [vdso]\n7ffdf3f3e000-7ffdf3f40000 r--p 00000000 00:00 0 [vvar]\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\n\nTo reach the start of the stack with the end of the heap (through the -p\nmemory leak in Exim) in Step 1 of our stack-clash, we must minimize the\ninitial heap-stack distance, and hence the initial mmap-stack distance,\nand set RLIMIT_STACK to MIN_GAP (~16GB). This limits the size of our -p\nargument strings on the stack to 16GB/4=4GB, and because we then leak\nthe same amount of heap memory through -p, the initial heap-stack\ndistance must be:\n\n- longer than 4GB (the stack must be able to contain the -p argument\n strings);\n\n- shorter than 8GB (the end of the heap must be able to reach the start\n of the stack during the -p memory leak). \n\nThe initial heap-stack distance (approximately the initial mmap-stack\ndistance, 128MB + StackRand + MmapRand, but we ignore the 128MB term\nhere) follows a trapezoidal Irwin-Hall distribution, and the [4GB,8GB]\nrange is within the first non-uniform area of this trapezoid, so the\nprobability that the initial heap-stack distance is in this range is:\n\n SUM(d = 4GB; d \u003c 8GB; d++) d / (16GB * 1TB)\n\n = SUM(d = 0; d \u003c 4GB; d++) (4GB + d) / (16GB * 1TB)\n\n = SUM(d = 0; d \u003c 2^32; d++) (2^32 + d) / (2^34 * 2^40)\n\n ~= ((2^32)*(2^32) + (2^32)*(2^32) / 2) / (2^74)\n\n ~= 3 / 2^11\n\n ~= 1 / 682\n\nThe probability of gaining rip control after the heap reaches the stack\nis ~1/16 (as calculated by a 64-bit version of the small helper program\npresented in IV.1.1.), and the final probability of gaining rip control\nwith our local Exim proof-of-concept is:\n\n (3 / 2^11) * (1/16) ~= 1 / 10922\n\nOn our 8GB Debian 8.7 test machine, this proof-of-concept takes roughly\n2 seconds per run, and has a good chance of gaining rip control after\n10922 * 2 seconds ~= 6 hours:\n\n# gdb /usr/sbin/exim4 core.6049\nGNU gdb (Debian 7.7.1+dfsg-5) 7.7.1\n... \nThis GDB was configured as \"x86_64-linux-gnu\". \nCore was generated by `/usr/sbin/exim4 -p0000000000000000000000000000000000000000000000000000000000000\u0027. \nProgram terminated with signal SIGSEGV, Segmentation fault. \n#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:41\n41 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. \n(gdb) x/i $rip\n=\u003e 0x7ffab1be7061 \u003c__memcpy_sse2_unaligned+65\u003e: retq\n(gdb) x/xg $rsp\n0x7ffb9b294a48: 0x4141414141414141\n\nKernels vulnerable to offset2lib, ld.so \".dynamic\" exploit\n\nSince kernels vulnerable to offset2lib map PIEs below and close to the\nstack, we tried to adapt our ld.so \".dynamic\" exploit to amd64. MIN_GAP\nguarantees a minimum distance of 128MB between the theoretical end of\nthe mmap region and the end of the stack, but the stack then grows down\nto store the argument and environment strings, and may therefore occupy\nthe theoretical end of the mmap region (where nothing has been mapped\nyet). Consequently, the end of the mmap region (where the PIE will be\nmapped) slides down to the first available address, directly below the\nstack guard-page and the initial stack expansion (described in II.3.2.):\n\n7ffbb7e51000-7ffbb7e53000 r-xp 00000000 fd:03 4465810 /tmp/test64\n... \n7ffbb8053000-7ffbb808c000 rw-p 00002000 fd:03 4465810 /tmp/test64\n7ffbb808d000-7ffc180ae000 rw-p 00000000 00:00 0 [heap]\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\n\nNote: in this example, the \"[stack]\" is, again, incorrectly displayed as\nthe \"[heap]\" by show_map_vma() (in fs/proc/task_mmu.c). \n\nThis layout is ideal for our stack-clash exploits, but poses an\nunexpected problem: because the PIE is mapped directly below the stack,\nthe stack cannot grow anymore, and the only free stack space is the\ninitial stack expansion (128KB) minus the argv[] and envp[] pointers\n(which are stored there, as mentioned in II.3.2.):\n\n- on the one hand, many argv[] and envp[] pointers, and hence many\n argument and environment strings, result in a higher probability of\n mapping the PIE directly below the stack;\n\n- on the other hand, many argv[] and envp[] pointers consume most of the\n initial stack expansion and do not leave enough free stack space for\n ld.so to operate. \n\nIn practice, we pass 96KB of argv[] pointers to execve(), thus leaving\n32KB of free stack space for ld.so, and since the size of a pointer is\n8B, and the maximum size of an argument string is 128KB, we also pass\n96KB/8B*128KB=1.5GB of argument strings to execve(). The resulting\nprobability of mapping the PIE directly below the stack is:\n\n SUM(s = 0; s \u003c 1.5GB - 128MB; s++) s / (16GB * 1TB)\n\n ~= ((1.5GB - 128MB)^2 / 2) / (16GB * 1TB)\n\n ~= 1 / 17331\n\nOn a 4GB Virtual Machine, each run takes 1 second, and 17331 runs take\nroughly 5 hours. But we cannot add more uncertainty to this exploit, and\nbecause of the problems discussed in IV.1.4. (null-bytes in DT_NEEDED,\nbut also in DT_AUXILIARY on 64-bit, etc), we were unable to overwrite\nthe .dynamic section with a pattern that does not significantly decrease\nthis exploit\u0027s probability of success. \n\nAll kernels, ld.so \"hwcap\" exploit\n\nDespite this failure, we had an intuition: when the PIE is mapped\ndirectly below the stack, the stack layout should be deterministic --\nrsp should point into the 128KB of initial stack expansion, at a 32KB\noffset above the start of the stack, and the only entropy should be the\n8KB of sub-page randomization within the stack (arch_align_stack() in\narch/x86/kernel/process.c). The following output of our small test\nprogram confirmed this intuition (the fourth field is the distance\nbetween the start of the stack and our main()\u0027s rsp when the PIE is\nmapped directly below the stack):\n\n$ grep -w sp test64.out | sort -nk4\nsp 0x7ffbc271ff38 -\u003e 28472\nsp 0x7ffbb95ccff8 -\u003e 28664\nsp 0x7ffbaf062678 -\u003e 30328\nsp 0x7ffbb08736e8 -\u003e 30440\nsp 0x7ffbbc616d18 -\u003e 32024\nsp 0x7ffbc1a0fdb8 -\u003e 32184\nsp 0x7ffbb9c28ff8 -\u003e 32760\nsp 0x7ffbdbf4c178 -\u003e 33144\nsp 0x7ffbb39bc1c8 -\u003e 33224\nsp 0x7ffbebb86838 -\u003e 34872\n\nSurprisingly, the output of this test program contained additional\nvaluable information:\n\n7ffbb7e51000-7ffbb7e53000 r-xp 00000000 fd:03 4465810 /tmp/test64\n7ffbb8034000-7ffbb8037000 rw-p 00000000 00:00 0\n7ffbb804d000-7ffbb804e000 rw-p 00000000 00:00 0\n7ffbb804e000-7ffbb8050000 r--p 00000000 00:00 0 [vvar]\n7ffbb8050000-7ffbb8052000 r-xp 00000000 00:00 0 [vdso]\n7ffbb8052000-7ffbb8053000 r--p 00001000 fd:03 4465810 /tmp/test64\n7ffbb8053000-7ffbb808c000 rw-p 00002000 fd:03 4465810 /tmp/test64\n7ffbb808d000-7ffc180ae000 rw-p 00000000 00:00 0 [heap]\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\n\n- the distance between the end of the read-execute segment of our test\n program and the start of its read-only and read-write segments is\n approximately 2MB; indeed, for every ELF on amd64:\n\n$ readelf -a /usr/bin/su | grep -wA1 LOAD\n LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000\n 0x00000000000061b4 0x00000000000061b4 R E 200000\n LOAD 0x0000000000006888 0x0000000000206888 0x0000000000206888\n 0x0000000000000798 0x00000000000007d0 RW 200000\n\n$ readelf -a /lib64/ld-linux-x86-64.so.2 | grep -wA1 LOAD\n LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000\n 0x000000000001fad0 0x000000000001fad0 R E 200000\n LOAD 0x000000000001fb60 0x000000000021fb60 0x000000000021fb60\n 0x000000000000141c 0x00000000000015e8 RW 200000\n\n- several objects are actually mapped inside this ~2MB hole: [vdso],\n [vvar], and two anonymous mappings (7ffbb804d000-7ffbb804e000 and\n 7ffbb8034000-7ffbb8037000). \n\nThis discovery allowed us to adapt our ld.so \"hwcap\" exploit to amd64:\n\n- we choose hardware-capabilities that are small enough to be mapped\n inside this ~2MB hole, but large enough to defeat the 8KB sub-page\n randomization of the stack;\n\n- we jump over the stack guard-page, and over the read-only and\n read-write segments of the PIE, and exploit ld.so as we did on i386. \n\nThis exploit\u0027s probability of success is therefore 1 when the PIE is\nmapped directly below the stack, and its final probability of success is\n~1/17331: it takes 1 second per run, and has a good chance of obtaining\na root-shell after 5 hours. Moreover, it works on all kernels: if a SUID\nbinary is not a PIE, or if the kernel is not vulnerable to offset2lib,\nwe simply jump over ld.so\u0027s read-write segment, instead of the PIE\u0027s. \nFor example, on Fedora 25, when the exploit succeeds and loads our own\nlibrary /var/tmp/a (the 7ffbabbef000-7ffbabca7000 mapping contains the\nhardware-capabilities that we smash):\n\n55a0c9e8d000-55a0c9e91000 r-xp 00000000 fd:00 112767 /usr/libexec/cockpit-polkit\n55a0ca091000-55a0ca093000 rw-p 00004000 fd:00 112767 /usr/libexec/cockpit-polkit\n7ffbab603000-7ffbab604000 r-xp 00000000 fd:00 4866583 /var/tmp/a\n7ffbab604000-7ffbab803000 ---p 00001000 fd:00 4866583 /var/tmp/a\n7ffbab803000-7ffbab804000 r--p 00000000 fd:00 4866583 /var/tmp/a\n7ffbab804000-7ffbaba86000 rw-p 00000000 00:00 0\n7ffbaba86000-7ffbabaab000 r-xp 00000000 fd:00 4229637 /usr/lib64/ld-2.24.so\n7ffbabbef000-7ffbabca7000 rw-p 00000000 00:00 0\n7ffbabca7000-7ffbabca9000 r--p 00000000 00:00 0 [vvar]\n7ffbabca9000-7ffbabcab000 r-xp 00000000 00:00 0 [vdso]\n7ffbabcab000-7ffbabcad000 rw-p 00025000 fd:00 4229637 /usr/lib64/ld-2.24.so\n7ffbabcad000-7ffbabcae000 rw-p 00000000 00:00 0\n7ffbabcaf000-7ffc0bcf0000 rw-p 00000000 00:00 0 [stack]\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]\n\n========================================================================\nIV.2. OpenBSD\n========================================================================\n\n========================================================================\nIV.2.1. Maximum RLIMIT_STACK vulnerability (CVE-2017-1000372)\n========================================================================\n\nThe OpenBSD kernel limits the maximum size of the user-space stack\n(RLIMIT_STACK) to MAXSSIZ (32MB); the execve() system-call allocates a\nMAXSSIZ memory region for the stack and divides it in two:\n\n- the second part, effectively the user-space stack, is mapped\n PROT_READ|PROT_WRITE at the end of this stack memory region, and\n occupies RLIMIT_STACK bytes (by default 8MB for root processes, and\n 4MB for user processes);\n\n- the first part, effectively a large stack guard-page, is mapped\n PROT_NONE at the start of this stack memory region, and occupies\n MAXSSIZ - RLIMIT_STACK bytes. \n\nUnfortunately, we discovered that if an attacker sets RLIMIT_STACK to\nMAXSSIZ, he eliminates the PROT_NONE part of the stack region, and hence\nthe stack guard-page itself (CVE-2017-1000372). For example:\n\n# sh -c \u0027ulimit -S -s; procmap -a -P\u0027\n8192\nStart End Size Offset rwxpc RWX I/W/A Dev Inode - File\n... \n14cf6000-14cfafff 20k 00000000 r-xp+ (rwx) 1/0/0 00:03 52375 - /usr/sbin/procmap [0xdb29ce10]\n... \n84a7b000-84a7bfff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]\ncd7db000-cefdafff 24576k 00000000 ---p+ (rwx) 1/0/0 00:00 0 - [ stack ]\ncefdb000-cf7cffff 8148k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]\ncf7d0000-cf7dafff 44k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]\n total 10348k\n\n# sh -c \u0027ulimit -S -s `ulimit -H -s`; procmap -a -P\u0027\nStart End Size Offset rwxpc RWX I/W/A Dev Inode - File\n... \n1a47f000-1a483fff 20k 00000000 r-xp+ (rwx) 1/0/0 00:03 52375 - /usr/sbin/procmap [0xdb29ce10]\n... \n8a3c8000-8a3c9fff 8k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]\ncd7c9000-cf7bffff 32732k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]\ncf7c0000-cf7c8fff 36k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]\n total 33992k\n\nA remote attacker cannot exploit this vulnerability, because he cannot\nmodify RLIMIT_STACK; but a local attacker can set RLIMIT_STACK to\nMAXSSIZ, and:\n\n- Step 1: malloc()ate almost 2GB of heap memory, until the heap reaches\n the start of the stack region;\n\n- Steps 2 and 3: consume MAXSSIZ (32MB) of stack memory, until the\n stack-pointer reaches the start of the stack region (Step 2) and moves\n into the heap (Step 3);\n\n- Step 4: smash the stack with the heap (Step 4a) or smash the heap with\n the stack (Step 4b). \n\n========================================================================\nIV.2.2. Recursive qsort() vulnerability (CVE-2017-1000373)\n========================================================================\n\nTo complete Step 2, a recursive function is needed, and the first\npossibly recursive function that we investigated is qsort(). On the one\nhand, glibc\u0027s _quicksort() function (in stdlib/qsort.c) is non-recursive\n(iterative): it uses a small, specialized stack of partition structures\n(two pointers, low and high), and guarantees that no more than 32\npartitions (on i386) or 64 partitions (on amd64) are pushed onto this\nstack, because it always pushes the larger of two sub-partitions and\niterates on the smaller partition. \n\nOn the other hand, BSD\u0027s qsort() function is recursive: it always\nrecurses on the first sub-partition, and iterates on the second\nsub-partition; but instead, it should always recurse on the smaller\nsub-partition, and iterate on the larger sub-partition (CVE-2017-1000373\nin OpenBSD, CVE-2017-1000378 in NetBSD, and CVE-2017-1082 in FreeBSD). \n\nIn theory, because BSD\u0027s qsort() is not randomized, an attacker can\nconstruct a pathological input array of N elements that causes qsort()\nto deterministically recurse N times. In practice, because this qsort()\nuses the median-of-three medians-of-three selection of a pivot element\n(the \"ninther\"), our attack constructs an input array of N elements that\ncauses qsort() to recurse N/4 times. \n\n========================================================================\nIV.2.3. /usr/bin/at proof-of-concept\n========================================================================\n\n/usr/bin/at is SGID-crontab (which can be escalated to full root\nprivileges) because it must be able to create (\"at -t\"), list (\"at -l\"),\nand remove (\"at -r\") job-files in the /var/cron/atjobs directory:\n\n-r-xr-sr-x 4 root crontab 31376 Jul 26 2016 /usr/bin/at\ndrwxrwx--T 2 root crontab 512 Jul 26 2016 /var/cron/atjobs\n\nTo demonstrate that OpenBSD\u0027s RLIMIT_STACK and qsort() vulnerabilities\ncan be transformed into powerful primitives such as heap corruption, we\ndeveloped a proof-of-concept against \"at -l\" (the list_jobs() function):\n\n- Step 1 (Clash): first, list_jobs() malloc()ates an atjob structure for\n each file in /var/cron/atjobs -- if we create 40M job-files, then the\n heap reaches the stack, but we do not exhaust the address-space;\n\n- Steps 2 and 3 (Run and Jump): second, list_jobs() qsort()s the\n malloc()ated jobs -- if we construct their time-stamps with our\n qsort() attack, then we can cause qsort() to recurse 40M/4=10M times\n and consume at least 10M*4B=40MB of stack memory (each recursive call\n to qsort() consumes at least 4B, the return-address) and move the\n stack-pointer into the heap;\n\n- Step 4b (Smash the heap with the stack): last, list_jobs() free()s the\n malloc()ated jobs, and abort()s with an error message -- OpenBSD\u0027s\n hardened malloc() implementation detects that the heap has been\n corrupted by the last recursive calls to qsort(). \n\nThis naive version of our /usr/bin/at proof-of-concept poses two major\nproblems:\n\n- Our pathological input array of N=40M elements cannot be sorted (Step\n 2 never finishes because it exhibits qsort()\u0027s worst-case behavior,\n N^2). To solve this problem, we divide the input array in two:\n\n . the first, pathological part contains only n=(33MB/176B)*4=768K\n elements that are needed to complete Steps 2 and 3, and cause\n qsort() to recurse n/4 times and consume (n/4)*176B=33MB of stack\n memory (MAXSSIZ+1MB) as each recursive call to qsort() consumes 176B\n of stack memory;\n\n . the second, innocuous part contains the remaining N-n=39M elements\n that are needed to complete Step 1, but not Steps 2 and 3, and are\n therefore swapped into the second, iterative partition of the first\n recursive call to qsort(). \n\n- We were unable to create 40M files in /var/cron/atjobs: after one\n week, OpenBSD\u0027s default filesystem (ffs) had created only 4M files,\n and the rate of file creation had dropped from 25 files/second to 4\n files/second. We did not solve this problem, but nevertheless wanted\n to validate our proof-of-concept:\n\n . we transformed it into an LD_PRELOAD library that intercepts calls\n to readdir() and fstatat(), and pretends that our 40M files in\n /var/cron/atjobs exist;\n\n . we made /var/cron/atjobs world-readable and LD_PRELOADed our library\n into a non-SGID copy of /usr/bin/at;\n\n . after about an hour, \"at\" reports random heap corruptions:\n\n# chmod o+r /var/cron/atjobs\n# chmod o+r /var/cron/at.deny\n\n$ ulimit -c 0\n$ ulimit -S -d `ulimit -H -d`\n$ ulimit -S -s `ulimit -H -s`\n$ ulimit -S -a\n... \ncoredump(blocks) 0\ndata(kbytes) 3145728\nstack(kbytes) 32768\n... \n$ cp /usr/bin/at . \n\n$ LD_PRELOAD=./OpenBSD_at.so ./at -l -v -q x \u003e /dev/null\ninitializing jobkeys\nfinalizing jobkeys\nreading jobs\n10%\n20%\n30%\n40%\n50%\n60%\n70%\n80%\n90%\n100%\nsorting jobs\nat(78717) in free(): error: chunk info corrupted\nAbort trap\n\n$ LD_PRELOAD=./OpenBSD_at.so ./at -l -v -q x \u003e /dev/null\ninitializing jobkeys\nfinalizing jobkeys\nreading jobs\n10%\n20%\n30%\n40%\n50%\n60%\n70%\n80%\n90%\n100%\nsorting jobs\nat(14184) in free(): error: modified chunk-pointer 0xcd6d0120\nAbort trap\n\n========================================================================\nIV.3. NetBSD\n========================================================================\n\nLike OpenBSD, NetBSD is vulnerable to the maximum RLIMIT_STACK\nvulnerability (CVE-2017-1000374): if a local attacker sets RLIMIT_STACK\nto MAXSSIZ, he eliminates the PROT_NONE part of the stack region -- the\nstack guard-page itself. Unlike OpenBSD, however, NetBSD:\n\n- defines MAXSSIZ to 64MB on i386 (128MB on amd64);\n\n- maps the run-time link-editor ld.so directly below the stack region,\n even if ASLR is enabled (CVE-2017-1000375):\n\n$ sh -c \u0027ulimit -S -s; pmap -a -P\u0027\n2048\nStart End Size Offset rwxpc RWX I/W/A Dev Inode - File\n08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 21706 - /usr/bin/pmap [0xc5c8f0b8]\n... \nbbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580]\nbbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]\nbbc00000-bf9fffff 63488k 00000000 ---p+ (rwx) 1/0/0 00:00 0 - [ stack ]\nbfa00000-bfbeffff 1984k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]\nbfbf0000-bfbfffff 64k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]\n total 9528k\n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; pmap -a -P\u0027\nStart End Size Offset rwxpc RWX I/W/A Dev Inode - File\n08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 21706 - /usr/bin/pmap [0xc5c8f0b8]\n... \nbbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580]\nbbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]\nbbc00000-bfbeffff 65472k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]\nbfbf0000-bfbfffff 64k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]\n total 73016k\n\n# cp /usr/bin/pmap . \n# paxctl +A ./pmap\n# sh -c \u0027ulimit -S -s `ulimit -H -s`; ./pmap -a -P\u0027\nStart End Size Offset rwxpc RWX I/W/A Dev Inode - File\n08048000-0804dfff 24k 00000000 r-xp+ (rwx) 1/0/0 00:00 172149 - /tmp/pmap [0xc5cb3c64]\n... \nbbbee000-bbbfefff 68k 00000000 r-xp+ (rwx) 1/0/0 00:00 107525 - /libexec/ld.elf_so [0xc535f580]\nbbbff000-bbbfffff 4k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ anon ]\nbbc00000-bf1bffff 55040k 00000000 rw-p+ (rwx) 1/0/0 00:00 0 - [ stack ]\nbf1c0000-bf1cefff 60k 00000000 rw-p- (rwx) 1/0/0 00:00 0 - [ stack ]\n total 62580k\n\nConsequently, a local attacker can set RLIMIT_STACK to MAXSSIZ,\neliminate the stack guard-page, and:\n\n- skip Step 1, because ld.so\u0027s read-write segment is naturally mapped\n directly below the stack region;\n\n- Steps 2 and 3: consume 64MB (MAXSSIZ) of stack memory (for example,\n through the recursive qsort() vulnerability, CVE-2017-1000378) until\n the stack-pointer reaches the start of the stack region (Step 2) and\n moves into ld.so\u0027s read-write segment (Step 3);\n\n- Step 4b: smash ld.so\u0027s read-write segment with the stack. \n\nWe did not try to exploit this vulnerability, nor did we search for a\nvulnerable SUID or SGID binary, but we wrote a simple proof-of-concept,\nand some of the following crashes may be exploitable:\n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; ./NetBSD_CVE-2017-1000375 0x04000000\u0027\n[1] Segmentation fault ./NetBSD_CVE-201... \n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; ./NetBSD_CVE-2017-1000375 0x03000000\u0027\n\n... \n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; ./NetBSD_CVE-2017-1000375 0x03ec5000\u0027\n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; ./NetBSD_CVE-2017-1000375 0x03ec5400\u0027\n[1] Segmentation fault ./NetBSD_CVE-201... \n\n$ sh -c \u0027ulimit -S -s `ulimit -H -s`; gdb ./NetBSD_CVE-2017-1000375\u0027\nGNU gdb (GDB) 7.7.1\n... \n(gdb) run 0x03ec5400\nProgram received signal SIGSEGV, Segmentation fault. \n0xbbbf448d in _rtld_symlook_default () from /usr/libexec/ld.elf_so\n(gdb) x/i $eip\n=\u003e 0xbbbf448d \u003c_rtld_symlook_default+185\u003e: mov %edx,(%esi,%edi,4)\n(gdb) info registers\nesi 0xbabae890 -1162155888\nedi 0x0 0\n... \n(gdb) run 0x03ec5800\nProgram received signal SIGSEGV, Segmentation fault. \n0xbbbf4465 in _rtld_symlook_default () from /usr/libexec/ld.elf_so\n(gdb) x/i $eip\n=\u003e 0xbbbf4465 \u003c_rtld_symlook_default+145\u003e: mov 0x4(%ecx),%edx\n(gdb) info registers\necx 0x41414141 1094795585\n... \n(gdb) run 0x03ec5c00\nProgram received signal SIGSEGV, Segmentation fault. \n0xbbbf4408 in _rtld_symlook_default () from /usr/libexec/ld.elf_so\n(gdb) x/i $eip\n=\u003e 0xbbbf4408 \u003c_rtld_symlook_default+52\u003e: mov (%eax),%esi\n(gdb) info registers\neax 0x41414141 1094795585\n... \n\n========================================================================\nIV.4. FreeBSD\n========================================================================\n\n========================================================================\nIV.4.1. setrlimit() RLIMIT_STACK vulnerability (CVE-2017-1085)\n========================================================================\n\nFreeBSD\u0027s kern_proc_setrlimit() function contains the following comment\nand code:\n\n /*\n * Stack is allocated to the max at exec time with only\n * \"rlim_cur\" bytes accessible. If stack limit is going\n * up make more accessible, if going down make inaccessible. \n */\n if (limp-\u003erlim_cur != oldssiz.rlim_cur) {\n ... \n if (limp-\u003erlim_cur \u003e oldssiz.rlim_cur) {\n prot = p-\u003ep_sysent-\u003esv_stackprot;\n size = limp-\u003erlim_cur - oldssiz.rlim_cur;\n addr = p-\u003ep_sysent-\u003esv_usrstack -\n limp-\u003erlim_cur;\n } else {\n prot = VM_PROT_NONE;\n size = oldssiz.rlim_cur - limp-\u003erlim_cur;\n addr = p-\u003ep_sysent-\u003esv_usrstack -\n oldssiz.rlim_cur;\n }\n ... \n (void)vm_map_protect(\u0026p-\u003ep_vmspace-\u003evm_map,\n addr, addr + size, prot, FALSE);\n }\n\nOpenBSD\u0027s and NetBSD\u0027s dosetrlimit() function contains the same comment,\nwhich accurately describes the layout of their user-space stack region. \nUnfortunately, FreeBSD\u0027s kern_proc_setrlimit() comment and code are\nincorrect, as hinted at in exec_new_vmspace():\n\n/*\n * Destroy old address space, and allocate a new stack\n * The new stack is only SGROWSIZ large because it is grown\n * automatically in trap.c. \n */\n\nand vm_map_stack_locked():\n\n /*\n * We initially map a stack of only init_ssize. We will grow as\n * needed later. \n\nwhere init_ssize is SGROWSIZ (128KB), not MAXSSIZ (64MB on i386),\nbecause \"init_ssize = (max_ssize \u003c growsize) ? max_ssize : growsize;\"\n(and max_ssize is MAXSSIZ, and growsize is SGROWSIZ). \n\nAs a result, if a program calls setrlimit() to increase RLIMIT_STACK,\nvm_map_protect() may turn a read-only memory region below the stack into\na read-write region (CVE-2017-1085), as demonstrated by the following\nproof-of-concept:\n\n% ./FreeBSD_CVE-2017-1085\nSegmentation fault\n\n% ./FreeBSD_CVE-2017-1085 setrlimit to the max\nchar at 0xbd155000: 41\n\n========================================================================\nIV.4.2. Stack guard-page disabled by default (CVE-2017-1083)\n========================================================================\n\nThe FreeBSD kernel implements a 4KB stack guard-page, and recent\nversions of the FreeBSD Installer offer it as a system hardening option. \nUnfortunately, it is disabled by default (CVE-2017-1083):\n\n% sysctl security.bsd.stack_guard_page\nsecurity.bsd.stack_guard_page: 0\n\n========================================================================\nIV.4.3. Stack guard-page vulnerabilities (CVE-2017-1084)\n========================================================================\n\n- If FreeBSD\u0027s stack guard-page is enabled, its entire logic is\n implemented in vm_map_growstack(): this function guarantees a minimum\n distance of 4KB (the stack guard-page) between the start of the stack\n and the end of the memory region that is mapped below (but the stack\n guard-page is not physically mapped into the address-space). \n\n Unfortunately, this guarantee is given only when the stack grows down\n and clashes with the memory region mapped below, but not if the memory\n region mapped below grows up and clashes with the stack: this\n vulnerability effectively eliminates the stack guard-page\n (CVE-2017-1084). In our proof-of-concept:\n\n . we allocate anonymous mmap()s of 4KB, until the end of an anonymous\n mmap() reaches the start of the stack [Step 1];\n\n . we call a recursive function until the stack-pointer reaches the\n start of the stack and moves into the anonymous mmap() directly\n below [Step 2];\n\n . but we do not jump over the stack guard-page, because each call to\n the recursive function allocates (and fully writes to) a 1KB\n stack-based buffer [Step 3];\n\n . and we do not crash into the stack guard-page, because CVE-2017-1084\n has effectively eliminated the stack guard-page in Step 1. \n\n# sysctl security.bsd.stack_guard_page=1\nsecurity.bsd.stack_guard_page: 0 -\u003e 1\n\n% ./FreeBSD_CVE-2017-FGPU\nchar at 0xbfbde000: 41\n\n- vm_map_growstack() implements most of the stack guard-page logic in\n the following code:\n\n /*\n * Growing downward. \n */\n /* Get the preliminary new entry start value */\n addr = stack_entry-\u003estart - grow_amount;\n\n /*\n * If this puts us into the previous entry, cut back our\n * growth to the available space. Also, see the note above. \n */\n if (addr \u003c end) {\n stack_entry-\u003eavail_ssize = max_grow;\n addr = end;\n if (stack_guard_page)\n addr += PAGE_SIZE;\n }\n\n where:\n\n . addr is the new start of the stack;\n\n . stack_entry-\u003estart is the old start of the stack;\n\n . grow_amount is the size of the stack expansion;\n\n . end is the end of the memory region below the stack. \n\n Unfortunately, the \"addr \u003c end\" test should be \"addr \u003c= end\": if addr,\n the new start of the stack, is equal to end, the end of the memory\n region mapped below, then the stack guard-page is eliminated\n (CVE-2017-1084). In our proof-of-concept:\n\n . we allocate anonymous mmap()s of 4KB, until the end of an anonymous\n mmap() reaches a randomly chosen distance below the start of the\n stack [Step 1];\n\n . we call a recursive function until the stack-pointer reaches the\n start of the stack, and the stack expansion reaches the end of the\n anonymous mmap() below [Step 2];\n\n . we do not jump over the stack guard-page, because each call to the\n recursive function allocates (and fully writes to) a 1KB stack-based\n buffer [Step 3];\n\n . and we crash into the stack guard-page most of the time;\n\n . but we survive with a probability of 4KB/128KB=1/32 (grow_amount is\n always a multiple of SGROWSIZ, 128KB) because CVE-2017-1084 has\n effectively eliminated the stack guard-page in Step 2. \n\n% sysctl security.bsd.stack_guard_page\nsecurity.bsd.stack_guard_page: 1\n\n% sh -c \u0027while true; do ./FreeBSD_CVE-2017-FGPE; done\u0027\nSegmentation fault\nchar at 0xbe45e000: 41; final dist 6097 (24778705)\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \nSegmentation fault\nSegmentation fault\nSegmentation fault\nchar at 0xbd25e000: 41; final dist 7036 (43654012)\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \nSegmentation fault\nSegmentation fault\nSegmentation fault\nchar at 0xbd29e000: 41; final dist 5331 (43390163)\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \n\n In contrast, if FreeBSD\u0027s stack guard-page is disabled, our\n proof-of-concept always survives:\n\n# sysctl security.bsd.stack_guard_page=0\nsecurity.bsd.stack_guard_page: 1 -\u003e 0\n\n% sh -c \u0027while true; do ./FreeBSD_CVE-2017-FGPE; done\u0027\nchar at 0xbe969000: 41; final dist 89894 (19488550)\nchar at 0xbfa6d000: 41; final dist 74525 (1647389)\nchar at 0xbf4df000: 41; final dist 78 (7471182)\nchar at 0xbe9e4000: 41; final dist 112397 (18986765)\nchar at 0xbf693000: 41; final dist 49811 (5685907)\nchar at 0xbf533000: 41; final dist 51037 (7128925)\nchar at 0xbd799000: 41; final dist 26043 (38167995)\nchar at 0xbd54b000: 11; final dist 83754 (40585002)\nchar at 0xbe176000: 41; final dist 36992 (27824256)\nchar at 0xbfa91000: 41; final dist 57449 (1499241)\nchar at 0xbd1b9000: 41; final dist 26115 (44328451)\nchar at 0xbd1c8000: 41; final dist 94852 (44266116)\nchar at 0xbf73a000: 41; final dist 22276 (5003012)\nchar at 0xbe6b1000: 41; final dist 58854 (22341094)\nchar at 0xbeb81000: 41; final dist 124727 (17295159)\nchar at 0xbfb35000: 41; final dist 43174 (829606)\n... \n\n- FreeBSD\u0027s thread library (libthr) mmap()s a secondary PROT_NONE stack\n guard-page at a distance RLIMIT_STACK below the end of the stack:\n\n# sysctl security.bsd.stack_guard_page=1\nsecurity.bsd.stack_guard_page: 0 -\u003e 1\n\n% sh -c \u0027exec procstat -v $$\u0027\n PID START END PRT RES PRES REF SHD FLAG TP PATH\n 2779 0x8048000 0x8050000 r-x 8 8 1 0 CN-- vn /usr/bin/procstat\n... \n 2779 0x28400000 0x28800000 rw- 22 35 2 0 ---- df\n 2779 0xbfbdf000 0xbfbff000 rwx 3 3 1 0 ---D df\n 2779 0xbfbff000 0xbfc00000 r-x 1 1 23 0 ---- ph\n\n% sh -c \u0027LD_PRELOAD=libthr.so exec procstat -v $$\u0027\n PID START END PRT RES PRES REF SHD FLAG TP PATH\n 2798 0x8048000 0x8050000 r-x 8 8 1 0 CN-- vn /usr/bin/procstat\n... \n 2798 0x28400000 0x28800000 rw- 23 35 2 0 ---- df\n 2798 0xbbbfe000 0xbbbff000 --- 0 0 0 0 ---- --\n 2798 0xbfbdf000 0xbfbff000 rwx 3 3 1 0 ---D df\n 2798 0xbfbff000 0xbfc00000 r-x 1 1 23 0 ---- ph\n\n Unfortunately, this secondary stack guard-page does not mitigate the\n vulnerabilities that we discovered in FreeBSD\u0027s stack guard-page\n implementation:\n\n% sysctl security.bsd.stack_guard_page\nsecurity.bsd.stack_guard_page: 1\n\n% sh -c \u0027LD_PRELOAD=libthr.so ./FreeBSD_CVE-2017-FGPU\u0027\nchar at 0xbfbde000: 41\n\n% sh -c \u0027while true; do LD_PRELOAD=libthr.so ./FreeBSD_CVE-2017-FGPE; done\u0027\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \nSegmentation fault\nSegmentation fault\nSegmentation fault\nchar at 0xbda5e000: 41; final dist 3839 (35262207)\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \nSegmentation fault\nSegmentation fault\nSegmentation fault\nchar at 0xbdb1e000: 41; final dist 3549 (34475485)\nSegmentation fault\nSegmentation fault\nSegmentation fault\n... \n\n========================================================================\nIV.4.4. Remote exploitation\n========================================================================\n\nBecause FreeBSD\u0027s stack guard-page is disabled by default, we tried (and\nfailed) to remotely exploit a test service vulnerable to:\n\n- an unlimited memory leak that allows us to malloc()ate gigabytes of\n memory;\n\n- a limited recursion that allows us to allocate up to 1MB of stack\n memory. \n\nFreeBSD\u0027s malloc() implementation (jemalloc) mmap()s 4MB chunks of\nanonymous memory that are aligned on multiples of 4MB. The first 4MB\nmmap() chunk starts at 0x28400000, and the last 4MB mmap() chunk ends at\n0xbf800000, because the stack itself already ends at 0xbfc00000; but it\nis impossible to cover this final mmap-stack distance (almost 4MB) with\nthe limited recursion (1MB) of our test service. \nbreak(0x80499b0) = 0 (0x0)\nbreak(0x8400000) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 672845824 (0x281ad000)\nmmap(0x285ad000,2437120,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 677040128 (0x285ad000)\nmunmap(0x281ad000,2437120) = 0 (0x0)\nmmap(0x0,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 679477248 (0x28800000)\nmunmap(0x28c00000,4194304) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 683671552 (0x28c00000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 687865856 (0x29000000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 692060160 (0x29400000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 696254464 (0x29800000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 700448768 (0x29c00000)\n... \nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1103101952 (0xbe400000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1098907648 (0xbe800000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1094713344 (0xbec00000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1090519040 (0xbf000000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = -1086324736 (0xbf400000)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x8800000) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x8c00000) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x9000000) = 0 (0x0)\n... \nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x27c00000) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x28000000) = 0 (0x0)\nmmap(0x0,4194304,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) ERR#12 \u0027Cannot allocate memory\u0027\nbreak(0x28400000) ERR#12 \u0027Cannot allocate memory\u0027\n\n========================================================================\nIV.5. Solaris \u003e= 11.1\n========================================================================\n\n========================================================================\nIV.5.1. Minimal RLIMIT_STACK vulnerability (CVE-2017-3630)\n========================================================================\n\nOn Solaris, ASLR can be enabled or disabled for each ELF binary with the\nSUNW_ASLR dynamic section entry (man elfedit):\n\n$ elfdump /usr/bin/rsh | egrep \u0027ASLR|NX\u0027\n [39] SUNW_ASLR 0x2 ENABLE\n [40] SUNW_NXHEAP 0x2 ENABLE\n [41] SUNW_NXSTACK 0x2 ENABLE\n\nWithout ASLR\n\nIf ASLR is disabled:\n\n- a stack region of size RLIMIT_STACK is reserved in the address-space;\n\n- a 4KB stack guard-page is mapped directly below this stack region;\n\n- the runtime linker ld.so is mapped directly below this stack\n guard-page. \n\n$ cp /usr/bin/sleep . \n$ chmod u+w ./sleep\n$ elfedit -e \u0027dyn:sunw_aslr disable\u0027 ./sleep\n\n$ sh -c \u0027ulimit -S -s; ./sleep 3 \u0026 pmap -r ${!}\u0027\n8192\n7176: ./sleep 3\n... \nFE7B1000 228K r-x---- /lib/ld.so.1\nFE7FA000 8K rwx---- /lib/ld.so.1\nFE7FC000 8K rwx---- /lib/ld.so.1\nFE7FF000 8192K rw----- [ stack ]\n total 17148K\n\n$ sh -c \u0027ulimit -S -s 64; ./sleep 3 \u0026 pmap -r ${!}\u0027\n7244: ./sleep 3\n... \nFEFA1000 228K r-x---- /lib/ld.so.1\nFEFEA000 8K rwx---- /lib/ld.so.1\nFEFEC000 8K rwx---- /lib/ld.so.1\nFEFEF000 64K rw----- [ stack ]\n total 9020K\n\nOn the one hand, a local attacker can exploit this simplified\nstack-clash:\n\n- Step 1 (Clash) is not needed, because ld.so is naturally mapped\n directly below the stack (the distance between the end of ld.so\u0027s\n read-write segment and the start of the stack is 4KB, the stack\n guard-page);\n\n- Step 2 (Run) is not needed, because a local attacker can set\n RLIMIT_STACK to just a few kilobytes, reserve a very small stack\n region, and hence shorten the distance between the stack-pointer and\n the start of the stack (and the end of ld.so\u0027s read-write segment);\n\n- Step 3 (Jump) can be completed with a large stack-based buffer that is\n not fully written to;\n\n- Step 4b (Smash) can be completed by overwriting the function pointers\n in ld.so\u0027s read-write segment with the contents of a stack-based\n buffer. \n\nSuch a simplified stack-clash exploit was first mentioned in Gael\nDelalleau\u0027s 2005 presentation (slide 30). \n\nOn the other hand, a remote attacker cannot modify RLIMIT_STACK and must\ncomplete Step 2 (Run) with a recursive function that consumes the 8MB\n(the default RLIMIT_STACK) between the stack-pointer and the start of\nthe stack. \n\nWith ASLR\n\nIf ASLR is enabled:\n\n- a stack region of size RLIMIT_STACK is reserved in the address-space;\n\n- a 4KB stack guard-page is mapped directly below this stack region;\n\n- the runtime linker ld.so is mapped below this stack guard-page, but at\n a random distance (within a [4KB,128MB] range) -- effectively a large,\n secondary stack guard-page. \n\nOn the one hand, a local attacker can run the simplified \"Without ASLR\"\nstack-clash exploit until the ld.so-stack distance is minimal -- with a\nprobability of 4KB/128MB=1/32K, the distance between the end of ld.so\u0027s\nread-write segment and the start of the stack is exactly 8KB: the stack\nguard-page plus the minimum distance between the stack guard-page and\nld.so (CVE-2017-3629). \n\nOn the other hand, a remote attacker must complete Step 2 (Run) with a\nrecursive function, and:\n\n- has a good chance of exploiting this stack-clash after 32K connections\n (when the ld.so-stack distance is minimal) if the remote service\n re-execve()s (re-randomizes the ld.so-stack distance for each new\n connection);\n\n- cannot exploit this stack-clash if the remote service does not\n re-execve() (does not re-randomize the ld.so-stack distance for each\n new connection) unless the attacker is able to restart the service,\n reboot the server, or target a 32K-server farm. \n\n========================================================================\nIV.5.2. /usr/bin/rsh exploit\n========================================================================\n\n/usr/bin/rsh is SUID-root and its main() function allocates a 50KB\nstack-based buffer that is not written to and can be used to jump over\nthe stack guard-page, into ld.so\u0027s read-write segment, in Step 3 of our\nsimplified stack-clash exploit. \n\nNext, we discovered a general method for gaining eip control in Step 4b:\nsetlocale(LC_ALL, \"\"), called by the main() function of /usr/bin/rsh and\nother SUID binaries, copies the LC_ALL environment variable to several\nstack-based buffers and thus smashes ld.so\u0027s read-write segment and\noverwrites some of ld.so\u0027s function pointers. \n\nLast, we execute our own shell-code: we return-into-binary (/usr/bin/rsh\nis not a PIE), to an instruction that reliably jumps into a copy of our\nLC_ALL environment variable in ld.so\u0027s read-write segment, which is in\nfact read-write-executable. For example, after we gain control of eip:\n\n- on Solaris 11.1, we return to a \"pop; pop; ret\" instruction, because a\n pointer to our shell-code is stored at an 8-byte offset from esp;\n\n- on Solaris 11.3, we return to a \"call *0xc(%ebp)\" instruction, because\n a pointer to our shell-code is stored at a 12-byte offset from ebp. \n\nOur Solaris exploit brute-forces the random ld.so-stack distance and two\nparameters:\n\n- the RLIMIT_STACK;\n\n- the length of the LC_ALL environment variable. \n\n========================================================================\nIV.5.3. Forced-Privilege vulnerability (CVE-2017-3631)\n========================================================================\n\n/usr/bin/rsh is SUID-root, but the shell that we obtained in Step 4b of\nour stack-clash exploit did not grant us full root privileges, only\nnet_privaddr, the privilege to bind to a privileged port number. \nDisappointed by this result, we investigated and found:\n\n$ ggrep -r /usr/bin/rsh /etc 2\u003e/dev/null\n/etc/security/exec_attr.d/core-os:Forced Privilege:solaris:cmd:RO::/usr/bin/rsh:privs=net_privaddr\n\n$ /usr/bin/rsh -h\n/usr/bin/rsh: illegal option -- h\nusage: rsh [ -PN / -PO ] [ -l login ] [ -n ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host command\n rsh [ -PN / -PO ] [ -l login ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host\n\n# cat truss.out\n... \n7319: execve(\"/usr/bin/rsh\", 0xA9479C548, 0xA94792808) argc = 2\n7319: *** FPRIV: P/E: net_privaddr ***\n... \n\nUnfortunately, this Forced-Privilege protection is based on the pathname\nof SUID-root binaries, which can be execve()d through hard-links, under\ndifferent pathnames (CVE-2017-3631). For example, we discovered that\nreadable SUID-root binaries can be execve()d through hard-links in\n/proc:\n\n$ sleep 3 \u003c /usr/bin/rsh \u0026 /proc/${!}/fd/0 -h\n[1] 7333\n/proc/7333/fd/0: illegal option -- h\nusage: rsh [ -PN / -PO ] [ -l login ] [ -n ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host command\n rsh [ -PN / -PO ] [ -l login ] [ -k realm ] [ -a ] [ -x ] [ -f / -F ] host\n\n# cat truss.out\n... \n7335: execve(\"/proc/7333/fd/0\", 0xA947CA508, 0xA94792808) argc = 2\n7335: *** SUID: ruid/euid/suid = 100 / 0 / 0 ***\n... \n\nThis vulnerability allows us to bypass the Forced-Privilege protection\nand obtain full root privileges with our /usr/bin/rsh exploit. \n\n\n========================================================================\nV. Acknowledgments\n========================================================================\n\nWe thank the members of the distros list, Oracle/Solaris, Exim, Sudo,\nsecurity@kernel.org, grsecurity/PaX, and OpenBSD. \n==========================================================================\nUbuntu Security Notice USN-3323-2\nJune 29, 2017\n\neglibc vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nGnu C library could be made to run programs as an administrator. This update provides the\ncorresponding update for Ubuntu 12.04 ESM. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\n libc6 2.15-0ubuntu10.20\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes. Description:\n\nRed Hat 3scale API Management Platform 2.0 is a platform for the management\nof access and traffic for web-based APIs across a variety of deployment\noptions. \n\nSecurity Fix(es):\n\n* It was found that RH-3scale AMP would permit creation of an access token\nwithout a client secret. An attacker could use this flaw to circumvent\nauthentication controls and gain access to restricted APIs. (CVE-2017-7512)\n\nThe underlying container image was also rebuilt to resolve other security\nissues. Solution:\n\nTo apply this security fix, use the updated docker images. Bugs fixed (https://bugzilla.redhat.com/):\n\n1457997 - CVE-2017-7512 3scale AMP: validation bypass in oauth\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-1000366"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "BID",
"id": "99127"
},
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "VULMON",
"id": "CVE-2017-1000366"
},
{
"db": "PACKETSTORM",
"id": "142990"
},
{
"db": "PACKETSTORM",
"id": "142999"
},
{
"db": "PACKETSTORM",
"id": "142992"
},
{
"db": "PACKETSTORM",
"id": "143033"
},
{
"db": "PACKETSTORM",
"id": "143016"
},
{
"db": "PACKETSTORM",
"id": "143005"
},
{
"db": "PACKETSTORM",
"id": "143196"
},
{
"db": "PACKETSTORM",
"id": "143264"
}
],
"trust": 2.79
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=42276",
"trust": 0.3,
"type": "exploit"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-100094",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "VULMON",
"id": "CVE-2017-1000366"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2017-1000366",
"trust": 3.7
},
{
"db": "BID",
"id": "99127",
"trust": 2.1
},
{
"db": "MCAFEE",
"id": "SB10205",
"trust": 2.1
},
{
"db": "EXPLOIT-DB",
"id": "42274",
"trust": 1.8
},
{
"db": "EXPLOIT-DB",
"id": "42276",
"trust": 1.8
},
{
"db": "EXPLOIT-DB",
"id": "42275",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "154361",
"trust": 1.8
},
{
"db": "SECTRACK",
"id": "1038712",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.3313",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "142990",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "142992",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "142999",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "143196",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "143005",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "143205",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143001",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143207",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143201",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143225",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-100094",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-1000366",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143033",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143016",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143264",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "VULMON",
"id": "CVE-2017-1000366"
},
{
"db": "BID",
"id": "99127"
},
{
"db": "PACKETSTORM",
"id": "142990"
},
{
"db": "PACKETSTORM",
"id": "142999"
},
{
"db": "PACKETSTORM",
"id": "142992"
},
{
"db": "PACKETSTORM",
"id": "143033"
},
{
"db": "PACKETSTORM",
"id": "143016"
},
{
"db": "PACKETSTORM",
"id": "143005"
},
{
"db": "PACKETSTORM",
"id": "143196"
},
{
"db": "PACKETSTORM",
"id": "143264"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "NVD",
"id": "CVE-2017-1000366"
}
]
},
"id": "VAR-201706-0334",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
}
],
"trust": 0.01
},
"last_update_date": "2026-04-10T22:46:25.788000Z",
"patch": {
"_id": null,
"data": [
{
"title": "CVE-2017-1000366",
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/CVE-2017-1000366"
},
{
"title": "CVE-2017-1000366",
"trust": 0.8,
"url": "https://www.suse.com/security/cve/CVE-2017-1000366/"
},
{
"title": "SUSE products and a new security bug class referred to as \"Stack Clash\".",
"trust": 0.8,
"url": "https://www.suse.com/support/kb/doc/?id=7020973"
},
{
"title": "glibc Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71084"
},
{
"title": "Red Hat: Important: glibc security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171480 - Security Advisory"
},
{
"title": "Red Hat: Important: glibc security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171481 - Security Advisory"
},
{
"title": "Red Hat: Important: glibc security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171479 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat Container Development Kit 3.0.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171567 - Security Advisory"
},
{
"title": "Ubuntu Security Notice: eglibc, glibc vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3323-1"
},
{
"title": "Ubuntu Security Notice: eglibc vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3323-2"
},
{
"title": "Debian Security Advisories: DSA-3887-1 glibc -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=09de7cf27f70b4503f183a914f8b80ac"
},
{
"title": "Red Hat: Important: Red Hat 3scale API Management Platform 2.0.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171712 - Security Advisory"
},
{
"title": "Amazon Linux AMI: ALAS-2017-844",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-844"
},
{
"title": "Arch Linux Advisories: [ASA-201706-22] lib32-glibc: privilege escalation",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201706-22"
},
{
"title": "Arch Linux Advisories: [ASA-201706-23] glibc: privilege escalation",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201706-23"
},
{
"title": "Red Hat: CVE-2017-1000366",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-1000366"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-1000366"
},
{
"title": "Red Hat: Moderate: glibc security, bug fix, and enhancement update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20180805 - Security Advisory"
},
{
"title": "Brocade Security Advisories: BSA-2017-355",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=ceec973689010b3f9fce9a7f3e1542a1"
},
{
"title": "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins\u0026qid=f1373f5dee274fec5bdcbc4c7e701395"
},
{
"title": "IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches \u2013 Release 1801-za",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=8710e4e233940f7482a6adad4643a7a8"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=549dc795290b298746065b62b4bb7928"
},
{
"title": "ansible-everyday",
"trust": 0.1,
"url": "https://github.com/kaosagnt/ansible-everyday "
},
{
"title": "Exp101tsArchiv30thers",
"trust": 0.1,
"url": "https://github.com/nu11secur1ty/Exp101tsArchiv30thers "
},
{
"title": "awesome-cve-poc_qazbnm456",
"trust": 0.1,
"url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-1000366"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "NVD",
"id": "CVE-2017-1000366"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/99127"
},
{
"trust": 2.4,
"url": "https://access.redhat.com/security/cve/cve-2017-1000366"
},
{
"trust": 2.4,
"url": "http://www.debian.org/security/2017/dsa-3887"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/154361/cisco-device-hardcoded-credentials-gnu-glibc-busybox.html"
},
{
"trust": 2.3,
"url": "https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt"
},
{
"trust": 2.0,
"url": "https://access.redhat.com/errata/rhsa-2017:1481"
},
{
"trust": 1.9,
"url": "https://www.exploit-db.com/exploits/42276/"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/201706-19"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:1479"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:1480"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:1712"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/sep/7"
},
{
"trust": 1.8,
"url": "https://www.suse.com/security/cve/cve-2017-1000366/"
},
{
"trust": 1.8,
"url": "https://www.suse.com/support/kb/doc/?id=7020973"
},
{
"trust": 1.8,
"url": "https://www.exploit-db.com/exploits/42274/"
},
{
"trust": 1.8,
"url": "https://www.exploit-db.com/exploits/42275/"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2019/sep/7"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:1567"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1038712"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10205"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000366"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-1000366"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10960426"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10887793"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.3313/"
},
{
"trust": 0.6,
"url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10960426"
},
{
"trust": 0.3,
"url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=efa26d9c13a6fabd34a05139e1d8b2e441b2fae9"
},
{
"trust": 0.3,
"url": "http://www.gnu.org/software/libc/"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1452543"
},
{
"trust": 0.3,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=cve-2017-1000366"
},
{
"trust": 0.3,
"url": "https://www.oracle.com/technetwork/topics/security/linuxbulletinjul2017-3832368.html"
},
{
"trust": 0.3,
"url": "https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2017-3832369.html"
},
{
"trust": 0.3,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10205\u0026actp=null\u0026viewlocale=en_us\u0026showdraft=false\u0026platinum_status=false\u0026locale=en_us"
},
{
"trust": 0.3,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://www.ubuntu.com/usn/usn-3323-1"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/vulnerabilities/stackguard"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10205"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/3323-1/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=54249"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/glibc/2.24-3ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu9"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/eglibc/2.19-0ubuntu6.13"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/glibc/2.24-9ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-6323"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5180"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2017-1000366"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6323"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5180"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html"
},
{
"trust": 0.1,
"url": "https://grsecurity.net/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000370"
},
{
"trust": 0.1,
"url": "http://cansecwest.com/core05/memory_vulns_delalleau.pdf"
},
{
"trust": 0.1,
"url": "https://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000373"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000371"
},
{
"trust": 0.1,
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1fd836dcf00d2028c700c7e44d2c23404062c90"
},
{
"trust": 0.1,
"url": "https://en.wikipedia.org/wiki/irwin-hall_distribution),"
},
{
"trust": 0.1,
"url": "https://grsecurity.net/features.php);"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2010-2240"
},
{
"trust": 0.1,
"url": "https://jon.oberheide.org/files/infiltrate12-thestackisback.pdf"
},
{
"trust": 0.1,
"url": "http://phrack.org/issues/63/14.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-2240"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000365"
},
{
"trust": 0.1,
"url": "http://www.gnu.org/software/cflow/);"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000376"
},
{
"trust": 0.1,
"url": "http://blog.exodusintel.com/2013/01/07/who-was-phone/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-3672"
},
{
"trust": 0.1,
"url": "https://jon.oberheide.org/blog/2010/11/29/exploiting-stack-overflows-in-the-linux-kernel/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000369"
},
{
"trust": 0.1,
"url": "http://www.invisiblethingslab.com/resources/misc-2010/xorg-large-memory-attacks.pdf"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1083"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000372"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1082"
},
{
"trust": 0.1,
"url": "https://www.ubuntu.com/usn/usn-3323-2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2017:1484"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-7512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2017:1365"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-1000364"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7502"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-1000364"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-7502"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-100094"
},
{
"db": "VULMON",
"id": "CVE-2017-1000366"
},
{
"db": "BID",
"id": "99127"
},
{
"db": "PACKETSTORM",
"id": "142990"
},
{
"db": "PACKETSTORM",
"id": "142999"
},
{
"db": "PACKETSTORM",
"id": "142992"
},
{
"db": "PACKETSTORM",
"id": "143033"
},
{
"db": "PACKETSTORM",
"id": "143016"
},
{
"db": "PACKETSTORM",
"id": "143005"
},
{
"db": "PACKETSTORM",
"id": "143196"
},
{
"db": "PACKETSTORM",
"id": "143264"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
},
{
"db": "NVD",
"id": "CVE-2017-1000366"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-100094",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2017-1000366",
"ident": null
},
{
"db": "BID",
"id": "99127",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "142990",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "142999",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "142992",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "143033",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "143016",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "143005",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "143196",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "143264",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005209",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2017-1000366",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2017-06-19T00:00:00",
"db": "VULHUB",
"id": "VHN-100094",
"ident": null
},
{
"date": "2017-06-19T00:00:00",
"db": "VULMON",
"id": "CVE-2017-1000366",
"ident": null
},
{
"date": "2017-06-19T00:00:00",
"db": "BID",
"id": "99127",
"ident": null
},
{
"date": "2017-06-19T23:52:57",
"db": "PACKETSTORM",
"id": "142990",
"ident": null
},
{
"date": "2017-06-19T23:54:30",
"db": "PACKETSTORM",
"id": "142999",
"ident": null
},
{
"date": "2017-06-19T23:53:10",
"db": "PACKETSTORM",
"id": "142992",
"ident": null
},
{
"date": "2017-06-20T22:26:23",
"db": "PACKETSTORM",
"id": "143033",
"ident": null
},
{
"date": "2017-06-20T00:36:06",
"db": "PACKETSTORM",
"id": "143016",
"ident": null
},
{
"date": "2017-06-19T23:55:23",
"db": "PACKETSTORM",
"id": "143005",
"ident": null
},
{
"date": "2017-06-30T06:41:55",
"db": "PACKETSTORM",
"id": "143196",
"ident": null
},
{
"date": "2017-07-06T20:26:00",
"db": "PACKETSTORM",
"id": "143264",
"ident": null
},
{
"date": "2017-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-808",
"ident": null
},
{
"date": "2017-07-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005209",
"ident": null
},
{
"date": "2017-06-19T16:29:00.310000",
"db": "NVD",
"id": "CVE-2017-1000366",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2020-10-15T00:00:00",
"db": "VULHUB",
"id": "VHN-100094",
"ident": null
},
{
"date": "2020-10-15T00:00:00",
"db": "VULMON",
"id": "CVE-2017-1000366",
"ident": null
},
{
"date": "2017-09-05T20:13:00",
"db": "BID",
"id": "99127",
"ident": null
},
{
"date": "2019-09-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-808",
"ident": null
},
{
"date": "2017-07-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005209",
"ident": null
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-1000366",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "local",
"sources": [
{
"db": "BID",
"id": "99127"
},
{
"db": "PACKETSTORM",
"id": "142990"
},
{
"db": "PACKETSTORM",
"id": "142992"
},
{
"db": "PACKETSTORM",
"id": "143196"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
}
],
"trust": 1.2
},
"title": {
"_id": null,
"data": "glibc Buffer error vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005209"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201706-808"
}
],
"trust": 0.6
}
}
VAR-201602-0004
Vulnerability from variot - Updated: 2026-04-10 21:58Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. GNU glibc is an open source C language compiler released under the LGPL license agreement. It is an implementation of the C library in the Linux operating system. An attacker can use the vulnerability to launch an attack on a Linux host or related devices by constructing a malicious DNS service or using a man-in-the-middle attack, which results in remote code execution and can be obtained. User terminal control. There is a buffer error vulnerability in the 'send_dg' and 'send_vc' functions in the resolv/res_send.c file of glibc version 2.9 to 2.22.
Release Date: 2016-06-15 Last Updated: 2016-06-15
Potential Security Impact: Remote Arbitrary Code Execution, Denial of Service (DoS)
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY HP OneView has addressed stack based buffer overflows in glibc's implementation of getaddrinfo() and also a vulnerability in OpenSSL.
References:
- CVE-2015-7547 - glibc: Remote Arbitrary Code Execution, Denial of Service (DoS)
- CVE-2016-0705 - OpenSSL: Remote Denial of Service (DoS)
- PSRT110139, PSRT110061
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OneView version 1.1,1.2 and 2.0
BACKGROUND
CVSS 2.0 Base Metrics
Reference Base Vector Base Score CVE-2015-7547 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2016-0705 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has made the following software patch available to resolve the vulnerabilities with glibc and OpenSSL for HP OneView.
-
Upgrade HP OneView to patch version 2.00.07.
OneView patch version 2.00.07 is available from the following location:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNu mber=Z7550-63180
HISTORY Version:1 (rev.1) - 15 June 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
- Relevant releases/architectures:
RHEL 7-based RHEV-H - noarch RHEV Hypervisor for RHEL-6 - noarch
- Description:
The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.
Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547)
This issue was discovered by the Google Security Team and Red Hat.
Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to these updated packages.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1293532 - CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow
- Package List:
RHEV Hypervisor for RHEL-6:
Source: rhev-hypervisor7-7.2-20160105.2.el6ev.src.rpm
noarch: rhev-hypervisor6-6.7-20160104.2.el6ev.noarch.rpm rhev-hypervisor7-7.2-20160105.2.el6ev.noarch.rpm
RHEL 7-based RHEV-H:
Source: rhev-hypervisor7-7.2-20160105.2.el7ev.src.rpm
noarch: rhev-hypervisor7-7.2-20160105.2.el7ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2015-7547 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/2161461
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-3480-1 security@debian.org https://www.debian.org/security/ Florian Weimer February 16, 2016 https://www.debian.org/security/faq
Package : eglibc CVE ID : CVE-2014-8121 CVE-2015-1781 CVE-2015-7547 CVE-2015-8776 CVE-2015-8777 CVE-2015-8778 CVE-2015-8779 Debian Bug : 779587 796105 798316 801691 803927 812441 812445 812455
Several vulnerabilities have been fixed in the GNU C Library, eglibc.
The CVE-2015-7547 vulnerability listed below is considered to have critical impact.
CVE-2014-8121
Robin Hack discovered that the nss_files database did not
correctly implement enumeration interleaved with name-based or
ID-based lookups. This could cause the enumeration enter an
endless loop, leading to a denial of service.
CVE-2015-1781
Arjun Shankar discovered that the _r variants of host name
resolution functions (like gethostbyname_r), when performing DNS
name resolution, suffered from a buffer overflow if a misaligned
buffer was supplied by the applications, leading to a crash or,
potentially, arbitrary code execution. Most applications are not
affected by this vulnerability because they use aligned buffers.
CVE-2015-7547
The Google Security Team and Red Hat discovered that the eglibc
host name resolver function, getaddrinfo, when processing
AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its
internal buffers, leading to a stack-based buffer overflow and
arbitrary code execution. This vulnerability affects most
applications which perform host name resolution using getaddrinfo,
including system services.
CVE-2015-8776
Adam Nielsen discovered that if an invalid separated time value
is passed to strftime, the strftime function could crash or leak
information. Applications normally pass only valid time
information to strftime; no affected applications are known.
CVE-2015-8777
Hector Marco-Gisbert reported that LD_POINTER_GUARD was not
ignored for SUID programs, enabling an unintended bypass of a
security feature. This update causes eglibc to always ignore the
LD_POINTER_GUARD environment variable.
CVE-2015-8778
Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r
functions did not check the size argument properly, leading to a
crash (denial of service) for certain arguments. No impacted
applications are known at this time.
CVE-2015-8779
The catopen function contains several unbound stack allocations
(stack overflows), causing it the crash the process (denial of
service). No applications where this issue has a security impact
are currently known.
The following fixed vulnerabilities currently lack CVE assignment:
Joseph Myers reported discovered that an integer overflow in the
strxfrm can lead to heap-based buffer overflow, possibly allowing
arbitrary code execution. In addition, a fallback path in strxfrm
uses an unbounded stack allocation (stack overflow), leading to a
crash or erroneous application behavior.
Kostya Serebryany reported that the fnmatch function could skip
over the terminating NUL character of a malformed pattern, causing
an application calling fnmatch to crash (denial of service).
Joseph Myers reported that the IO_wstr_overflow function,
internally used by wide-oriented character streams, suffered from
an integer overflow, leading to a heap-based buffer overflow. On
GNU/Linux systems, wide-oriented character streams are rarely
used, and no affected applications are known.
Andreas Schwab reported a memory leak (memory allocation without a
matching deallocation) while processing certain DNS answers in
getaddrinfo, related to the _nss_dns_gethostbyname4_r function.
This vulnerability could lead to a denial of service.
While it is only necessary to ensure that all processes are not using the old eglibc anymore, it is recommended to reboot the machines after applying the security upgrade.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.13-38+deb7u10.
We recommend that you upgrade your eglibc packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJWwy2CAAoJEAVMuPMTQ89EEk4P/jEoKqrIFx5+K5titipnU0wq jASxI7dQdvHz91CKl47mPfdzvnuH6MRHWzCNz6ngsSRLhqxQhF66beeIAI+EMoGx BzA9/WtpieNl80vWrmPRDuqf0kwFjxkzUI50jeQ2KoSZuP9AOGrlMG1olDL9dvDz W7avzgXZcd4JQ1W3A8cdfVQEOPZiszjap26CCtxmINRfigSDr25F5WMvY64DtNO7 SKDen2QOXhHoz5TdQJDq3PzuWqGppMq2ENSTuTH+1W94MJLQVSHglNo8uLBSuT8G Hd06TdA2SBB5E2V5i1BM1+z0++9LzBn2YzVIFY8AYTtksAiQcEDZS4swVA/r4aEK gHfgoAC/WcxvPxSMC9gJDx83b1JpB6Wnn9k8SIMBpEdAAJeWIjwFXyhzfO88G9ig l6dgCIAuTJLPCgiT/virNQFLJI0gilyKwSxx5UHv03Nfi03EXU1R/6cX+KllPzFZ N5mkR76MrL/hjDkdA0G494ubO6NDaDGCDgzMiLaP+Y6sDcF5ChmYMdJfji5f8AD8 kqEnTrL7B3/x9ePFg6gEAcmyzwJ8/Utg8c7Wmpc+LaK6OWN9QC79HSRYiIitNGIv 7NvHxPcLZn35pEhv68EwgKpmCa61EjFRrIGRcfRPDP8Yf08JEWm2q/zY9+XhBwDG edY4CgwM3CLvMCOl/4r2 =K3Zo -----END PGP SIGNATURE-----
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 2.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.21"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.11.1"
},
{
"_id": null,
"model": "unified threat management software",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "9.355"
},
{
"_id": null,
"model": "linux enterprise debuginfo",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "15.10"
},
{
"_id": null,
"model": "enterprise linux hpc node eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.11"
},
{
"_id": null,
"model": "helion openstack",
"scope": "eq",
"trust": 1.0,
"vendor": "hp",
"version": "2.1.0"
},
{
"_id": null,
"model": "helion openstack",
"scope": "eq",
"trust": 1.0,
"vendor": "hp",
"version": "2.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.11.3"
},
{
"_id": null,
"model": "big-ip advanced firewall manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.17"
},
{
"_id": null,
"model": "linux enterprise desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "opensuse",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "13.2"
},
{
"_id": null,
"model": "big-ip local traffic manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.16"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.12.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.22"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.19"
},
{
"_id": null,
"model": "big-ip policy enforcement manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "big-ip access policy manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.18"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.20"
},
{
"_id": null,
"model": "exalogic infrastructure",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "12.04"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.9"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"_id": null,
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.10"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.11.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.15"
},
{
"_id": null,
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.12"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.14.1"
},
{
"_id": null,
"model": "helion openstack",
"scope": "eq",
"trust": 1.0,
"vendor": "hp",
"version": "1.1.1"
},
{
"_id": null,
"model": "big-ip domain name system",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "14.04"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.14"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.12.2"
},
{
"_id": null,
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"_id": null,
"model": "unified threat management software",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "9.319"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"_id": null,
"model": "linux enterprise software development kit",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "big-ip application security manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "linux enterprise desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "exalogic infrastructure",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "2.0"
},
{
"_id": null,
"model": "big-ip application acceleration manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "12.0.0"
},
{
"_id": null,
"model": "linux enterprise software development kit",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "12"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.10.1"
},
{
"_id": null,
"model": "fujitsu m10",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "2290"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.13"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "server migration pack",
"scope": "eq",
"trust": 1.0,
"vendor": "hp",
"version": "7.5"
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "android open source",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "arista",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "blue coat",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "centos",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian gnu linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "gnu glibc",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "gentoo linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ubuntu",
"version": null
},
{
"_id": null,
"model": "glibc",
"scope": "gt",
"trust": 0.6,
"vendor": "gnu",
"version": "2.9"
},
{
"_id": null,
"model": "ape",
"scope": null,
"trust": 0.6,
"vendor": "siemens",
"version": null
},
{
"_id": null,
"model": "basic rt",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "v13"
},
{
"_id": null,
"model": "rox ii os",
"scope": "gte",
"trust": 0.6,
"vendor": "siemens",
"version": "v2.3.0\u003c=v2.9.0"
},
{
"_id": null,
"model": "scalance m-800 s615",
"scope": "eq",
"trust": 0.6,
"vendor": "siemens",
"version": "/"
},
{
"_id": null,
"model": "sinema remote connect",
"scope": "lt",
"trust": 0.6,
"vendor": "siemens",
"version": "v1.2"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "CNVD",
"id": "CNVD-2016-01100"
},
{
"db": "NVD",
"id": "CVE-2015-7547"
}
]
},
"credits": {
"_id": null,
"data": "HP",
"sources": [
{
"db": "PACKETSTORM",
"id": "137497"
},
{
"db": "PACKETSTORM",
"id": "136808"
},
{
"db": "PACKETSTORM",
"id": "136985"
},
{
"db": "PACKETSTORM",
"id": "136325"
},
{
"db": "PACKETSTORM",
"id": "137292"
},
{
"db": "PACKETSTORM",
"id": "136988"
}
],
"trust": 0.6
},
"cve": "CVE-2015-7547",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2015-7547",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"availabilityRequirement": "NOT DEFINED",
"baseScore": 10.0,
"collateralDamagePotential": "NOT DEFINED",
"confidentialityImpact": "COMPLETE",
"confidentialityRequirement": "NOT DEFINED",
"enviromentalScore": 8.1,
"exploitability": "PROOF-OF-CONCEPT",
"exploitabilityScore": 10.0,
"id": "CVE-2015-7547",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"integrityRequirement": "NOT DEFINED",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "TEMPORARY FIX",
"reportConfidence": "CONFIRMED",
"severity": "HIGH",
"targetDistribution": "HIGH",
"trust": 0.8,
"userInteractionRequired": null,
"vector_string": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CNVD-2016-01100",
"impactScore": 8.5,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-85508",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2015-7547",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-7547",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2015-7547",
"trust": 0.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2016-01100",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-85508",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "CNVD",
"id": "CNVD-2016-01100"
},
{
"db": "VULHUB",
"id": "VHN-85508"
},
{
"db": "NVD",
"id": "CVE-2015-7547"
}
]
},
"description": {
"_id": null,
"data": "Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing \"dual A/AAAA DNS queries\" and the libnss_dns.so.2 NSS module. GNU glibc is an open source C language compiler released under the LGPL license agreement. It is an implementation of the C library in the Linux operating system. An attacker can use the vulnerability to launch an attack on a Linux host or related devices by constructing a malicious DNS service or using a man-in-the-middle attack, which results in remote code execution and can be obtained. User terminal control. There is a buffer error vulnerability in the \u0027send_dg\u0027 and \u0027send_vc\u0027 functions in the resolv/res_send.c file of glibc version 2.9 to 2.22. \n\nRelease Date: 2016-06-15\nLast Updated: 2016-06-15\n\nPotential Security Impact: Remote Arbitrary Code Execution, Denial of Service\n(DoS)\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nHP OneView has addressed stack based buffer overflows in glibc\u0027s\nimplementation of getaddrinfo() and also a vulnerability in OpenSSL. \n\nReferences:\n\n - CVE-2015-7547 - glibc: Remote Arbitrary Code Execution, Denial of Service\n(DoS)\n - CVE-2016-0705 - OpenSSL: Remote Denial of Service (DoS)\n - PSRT110139, PSRT110061\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \nHP OneView version 1.1,1.2 and 2.0\n\nBACKGROUND\n\nCVSS 2.0 Base Metrics\n===========================================================\n Reference Base Vector Base Score\nCVE-2015-7547 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\nCVE-2016-0705 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\n===========================================================\n Information on CVSS is documented\n in HP Customer Notice: HPSN-2008-002\n\nRESOLUTION\n\nHPE has made the following software patch available to resolve the\nvulnerabilities with glibc and OpenSSL for HP OneView. \n\n - Upgrade HP OneView to patch version 2.00.07. \n\n OneView patch version 2.00.07 is available from the following location:\n\n https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNu\nmber=Z7550-63180\n\nHISTORY\nVersion:1 (rev.1) - 15 June 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability with any HPE supported\nproduct, send Email to: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners. \n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section. \n\n2. Relevant releases/architectures:\n\nRHEL 7-based RHEV-H - noarch\nRHEV Hypervisor for RHEL-6 - noarch\n\n3. Description:\n\nThe rhev-hypervisor package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: A subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent. \n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions. \n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat. \n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to these updated packages. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1293532 - CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow\n\n6. Package List:\n\nRHEV Hypervisor for RHEL-6:\n\nSource:\nrhev-hypervisor7-7.2-20160105.2.el6ev.src.rpm\n\nnoarch:\nrhev-hypervisor6-6.7-20160104.2.el6ev.noarch.rpm\nrhev-hypervisor7-7.2-20160105.2.el6ev.noarch.rpm\n\nRHEL 7-based RHEV-H:\n\nSource:\nrhev-hypervisor7-7.2-20160105.2.el7ev.src.rpm\n\nnoarch:\nrhev-hypervisor7-7.2-20160105.2.el7ev.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-7547\nhttps://access.redhat.com/security/updates/classification/#critical\nhttps://access.redhat.com/articles/2161461\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3480-1 security@debian.org\nhttps://www.debian.org/security/ Florian Weimer\nFebruary 16, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : eglibc\nCVE ID : CVE-2014-8121 CVE-2015-1781 CVE-2015-7547 CVE-2015-8776 \n CVE-2015-8777 CVE-2015-8778 CVE-2015-8779\nDebian Bug : 779587 796105 798316 801691 803927 812441 812445 812455\n\nSeveral vulnerabilities have been fixed in the GNU C Library, eglibc. \n\nThe CVE-2015-7547 vulnerability listed below is considered to have\ncritical impact. \n\nCVE-2014-8121\n\n Robin Hack discovered that the nss_files database did not\n correctly implement enumeration interleaved with name-based or\n ID-based lookups. This could cause the enumeration enter an\n endless loop, leading to a denial of service. \n\nCVE-2015-1781\n\n Arjun Shankar discovered that the _r variants of host name\n resolution functions (like gethostbyname_r), when performing DNS\n name resolution, suffered from a buffer overflow if a misaligned\n buffer was supplied by the applications, leading to a crash or,\n potentially, arbitrary code execution. Most applications are not\n affected by this vulnerability because they use aligned buffers. \n\nCVE-2015-7547\n\n The Google Security Team and Red Hat discovered that the eglibc\n host name resolver function, getaddrinfo, when processing\n AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its\n internal buffers, leading to a stack-based buffer overflow and\n arbitrary code execution. This vulnerability affects most\n applications which perform host name resolution using getaddrinfo,\n including system services. \n\nCVE-2015-8776\n\n Adam Nielsen discovered that if an invalid separated time value\n is passed to strftime, the strftime function could crash or leak\n information. Applications normally pass only valid time\n information to strftime; no affected applications are known. \n\nCVE-2015-8777\n\n Hector Marco-Gisbert reported that LD_POINTER_GUARD was not\n ignored for SUID programs, enabling an unintended bypass of a\n security feature. This update causes eglibc to always ignore the\n LD_POINTER_GUARD environment variable. \n\nCVE-2015-8778\n\n Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r\n functions did not check the size argument properly, leading to a\n crash (denial of service) for certain arguments. No impacted\n applications are known at this time. \n\nCVE-2015-8779\n\n The catopen function contains several unbound stack allocations\n (stack overflows), causing it the crash the process (denial of\n service). No applications where this issue has a security impact\n are currently known. \n\nThe following fixed vulnerabilities currently lack CVE assignment:\n\n Joseph Myers reported discovered that an integer overflow in the\n strxfrm can lead to heap-based buffer overflow, possibly allowing\n arbitrary code execution. In addition, a fallback path in strxfrm\n uses an unbounded stack allocation (stack overflow), leading to a\n crash or erroneous application behavior. \n\n Kostya Serebryany reported that the fnmatch function could skip\n over the terminating NUL character of a malformed pattern, causing\n an application calling fnmatch to crash (denial of service). \n\n Joseph Myers reported that the IO_wstr_overflow function,\n internally used by wide-oriented character streams, suffered from\n an integer overflow, leading to a heap-based buffer overflow. On\n GNU/Linux systems, wide-oriented character streams are rarely\n used, and no affected applications are known. \n\n Andreas Schwab reported a memory leak (memory allocation without a\n matching deallocation) while processing certain DNS answers in\n getaddrinfo, related to the _nss_dns_gethostbyname4_r function. \n This vulnerability could lead to a denial of service. \n\nWhile it is only necessary to ensure that all processes are not using\nthe old eglibc anymore, it is recommended to reboot the machines after\napplying the security upgrade. \n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 2.13-38+deb7u10. \n\nWe recommend that you upgrade your eglibc packages. \n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIcBAEBCgAGBQJWwy2CAAoJEAVMuPMTQ89EEk4P/jEoKqrIFx5+K5titipnU0wq\njASxI7dQdvHz91CKl47mPfdzvnuH6MRHWzCNz6ngsSRLhqxQhF66beeIAI+EMoGx\nBzA9/WtpieNl80vWrmPRDuqf0kwFjxkzUI50jeQ2KoSZuP9AOGrlMG1olDL9dvDz\nW7avzgXZcd4JQ1W3A8cdfVQEOPZiszjap26CCtxmINRfigSDr25F5WMvY64DtNO7\nSKDen2QOXhHoz5TdQJDq3PzuWqGppMq2ENSTuTH+1W94MJLQVSHglNo8uLBSuT8G\nHd06TdA2SBB5E2V5i1BM1+z0++9LzBn2YzVIFY8AYTtksAiQcEDZS4swVA/r4aEK\ngHfgoAC/WcxvPxSMC9gJDx83b1JpB6Wnn9k8SIMBpEdAAJeWIjwFXyhzfO88G9ig\nl6dgCIAuTJLPCgiT/virNQFLJI0gilyKwSxx5UHv03Nfi03EXU1R/6cX+KllPzFZ\nN5mkR76MrL/hjDkdA0G494ubO6NDaDGCDgzMiLaP+Y6sDcF5ChmYMdJfji5f8AD8\nkqEnTrL7B3/x9ePFg6gEAcmyzwJ8/Utg8c7Wmpc+LaK6OWN9QC79HSRYiIitNGIv\n7NvHxPcLZn35pEhv68EwgKpmCa61EjFRrIGRcfRPDP8Yf08JEWm2q/zY9+XhBwDG\nedY4CgwM3CLvMCOl/4r2\n=K3Zo\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7547"
},
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "CNVD",
"id": "CNVD-2016-01100"
},
{
"db": "VULHUB",
"id": "VHN-85508"
},
{
"db": "PACKETSTORM",
"id": "137497"
},
{
"db": "PACKETSTORM",
"id": "135856"
},
{
"db": "PACKETSTORM",
"id": "136808"
},
{
"db": "PACKETSTORM",
"id": "136985"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "136325"
},
{
"db": "PACKETSTORM",
"id": "137292"
},
{
"db": "PACKETSTORM",
"id": "136988"
}
],
"trust": 2.97
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.kb.cert.org/vuls/id/457759",
"trust": 0.8,
"type": "poc"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-85508",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "VULHUB",
"id": "VHN-85508"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2015-7547",
"trust": 3.3
},
{
"db": "CERT/CC",
"id": "VU#457759",
"trust": 1.9
},
{
"db": "BID",
"id": "83265",
"trust": 1.7
},
{
"db": "EXPLOIT-DB",
"id": "39454",
"trust": 1.1
},
{
"db": "EXPLOIT-DB",
"id": "40339",
"trust": 1.1
},
{
"db": "MCAFEE",
"id": "SB10150",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "167552",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "164014",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "135802",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "154361",
"trust": 1.1
},
{
"db": "SECTRACK",
"id": "1035020",
"trust": 1.1
},
{
"db": "PULSESECURE",
"id": "SA40161",
"trust": 1.1
},
{
"db": "TENABLE",
"id": "TRA-2017-08",
"trust": 1.1
},
{
"db": "ICS CERT",
"id": "ICSA-16-103-01",
"trust": 1.1
},
{
"db": "SIEMENS",
"id": "SSA-301706",
"trust": 0.6
},
{
"db": "CNVD",
"id": "CNVD-2016-01100",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "136808",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "137497",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "135856",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "136988",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "136325",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "136985",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "135971",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135791",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "138068",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "136976",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "136881",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135853",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135911",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "137351",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "137112",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135801",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135800",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135789",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "138601",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "136048",
"trust": 0.1
},
{
"db": "CNNVD",
"id": "CNNVD-201602-348",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-90749",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-85508",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135793",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "137292",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "CNVD",
"id": "CNVD-2016-01100"
},
{
"db": "VULHUB",
"id": "VHN-85508"
},
{
"db": "PACKETSTORM",
"id": "137497"
},
{
"db": "PACKETSTORM",
"id": "135856"
},
{
"db": "PACKETSTORM",
"id": "136808"
},
{
"db": "PACKETSTORM",
"id": "136985"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "136325"
},
{
"db": "PACKETSTORM",
"id": "137292"
},
{
"db": "PACKETSTORM",
"id": "136988"
},
{
"db": "NVD",
"id": "CVE-2015-7547"
}
]
},
"id": "VAR-201602-0004",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-85508"
}
],
"trust": 0.8356060666666666
},
"last_update_date": "2026-04-10T21:58:07.360000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Patch for GNU glibc getaddrinfo () stack buffer overflow vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/71529"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-01100"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-119",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85508"
},
{
"db": "NVD",
"id": "CVE-2015-7547"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 3.3,
"url": "https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html"
},
{
"trust": 1.9,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18665"
},
{
"trust": 1.9,
"url": "https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html"
},
{
"trust": 1.9,
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1255-security-advisory-17"
},
{
"trust": 1.9,
"url": "https://bto.bluecoat.com/security-advisory/sa114"
},
{
"trust": 1.9,
"url": "http://www.fortiguard.com/advisory/glibc-getaddrinfo-stack-overflow"
},
{
"trust": 1.2,
"url": "http://rhn.redhat.com/errata/rhsa-2016-0277.html"
},
{
"trust": 1.2,
"url": "https://access.redhat.com/articles/2161461"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id/1035020"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2019/sep/7"
},
{
"trust": 1.1,
"url": "https://seclists.org/bugtraq/2019/sep/7"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2021/sep/0"
},
{
"trust": 1.1,
"url": "http://seclists.org/fulldisclosure/2022/jun/36"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/39454/"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/40339/"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/83265"
},
{
"trust": 1.1,
"url": "http://www.debian.org/security/2016/dsa-3480"
},
{
"trust": 1.1,
"url": "http://www.debian.org/security/2016/dsa-3481"
},
{
"trust": 1.1,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-february/177404.html"
},
{
"trust": 1.1,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-february/177412.html"
},
{
"trust": 1.1,
"url": "https://security.gentoo.org/glsa/201602-02"
},
{
"trust": 1.1,
"url": "http://rhn.redhat.com/errata/rhsa-2016-0175.html"
},
{
"trust": 1.1,
"url": "http://rhn.redhat.com/errata/rhsa-2016-0176.html"
},
{
"trust": 1.1,
"url": "http://rhn.redhat.com/errata/rhsa-2016-0225.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html"
},
{
"trust": 1.1,
"url": "http://ubuntu.com/usn/usn-2900-1"
},
{
"trust": 1.1,
"url": "https://www.kb.cert.org/vuls/id/457759"
},
{
"trust": 1.1,
"url": "http://fortiguard.com/advisory/glibc-getaddrinfo-stack-overflow"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/135802/glibc-getaddrinfo-stack-based-buffer-overflow.html"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/154361/cisco-device-hardcoded-credentials-gnu-glibc-busybox.html"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/164014/moxa-command-injection-cross-site-scripting-vulnerable-software.html"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/167552/nexans-ftto-gigaswitch-outdated-components-hardcoded-backdoor.html"
},
{
"trust": 1.1,
"url": "http://support.citrix.com/article/ctx206991"
},
{
"trust": 1.1,
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160304-01-glibc-en"
},
{
"trust": 1.1,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"trust": 1.1,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"trust": 1.1,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"trust": 1.1,
"url": "http://www.vmware.com/security/advisories/vmsa-2016-0002.html"
},
{
"trust": 1.1,
"url": "https://blogs.sophos.com/2016/02/24/utm-up2date-9-355-released/"
},
{
"trust": 1.1,
"url": "https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/"
},
{
"trust": 1.1,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1293532"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05028479"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04989404"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05008367"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05053211"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05073516"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05098877"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05125672"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05128937"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05130958"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05140858"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05158380"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05176716"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05212266"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05376917"
},
{
"trust": 1.1,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390722"
},
{
"trust": 1.1,
"url": "https://help.ecostruxureit.com/display/public/uadco8x/struxureware+data+center+operation+software+vulnerability+fixes"
},
{
"trust": 1.1,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-16-103-01"
},
{
"trust": 1.1,
"url": "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa40161"
},
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20160217-0002/"
},
{
"trust": 1.1,
"url": "https://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html"
},
{
"trust": 1.1,
"url": "https://support.lenovo.com/us/en/product_security/len_5450"
},
{
"trust": 1.1,
"url": "https://www.tenable.com/security/research/tra-2017-08"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00043.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=145596041017029\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=145857691004892\u0026w=2"
},
{
"trust": 1.0,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10150"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=145672440608228\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=146161017210491\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=145690841819314\u0026w=2"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2015-7547"
},
{
"trust": 0.8,
"url": "https://sourceware.org/glibc/wiki/glibc%20timeline"
},
{
"trust": 0.8,
"url": "https://www.centos.org/forums/viewtopic.php?t=56467"
},
{
"trust": 0.8,
"url": "http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160218-glibc"
},
{
"trust": 0.8,
"url": "https://lists.debian.org/debian-lts-announce/2016/02/msg00009.html"
},
{
"trust": 0.8,
"url": "http://www.ubuntu.com/usn/usn-2900-1/"
},
{
"trust": 0.8,
"url": "http://forums.juniper.net/t5/security-incident-response/glibc-getaddrinfo-stack-based-buffer-overflow-cve-2015-7547/ba-p/288261"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7547"
},
{
"trust": 0.6,
"url": "http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-301706.pdf"
},
{
"trust": 0.6,
"url": "https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html"
},
{
"trust": 0.6,
"url": "https://isc.sans.edu/diary/cve-2015-7547"
},
{
"trust": 0.6,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_n"
},
{
"trust": 0.6,
"url": "http://www.hpe.com/support/security_bulletin_archive"
},
{
"trust": 0.6,
"url": "http://www.hpe.com/support/subscriber_choice"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0705"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0728"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=145690841819314\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=145596041017029\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=145672440608228\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=145857691004892\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=146161017210491\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10150"
},
{
"trust": 0.1,
"url": "https://h20392.www2.hp.com/portal/swdepot/displayproductinfo.do?productnu"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "http://www.hp.com/go/cloudsystem/download"
},
{
"trust": 0.1,
"url": "https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetse"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8777"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1781"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8776"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8778"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8779"
},
{
"trust": 0.1,
"url": "https://helion.hpwsportal.com"
},
{
"trust": 0.1,
"url": "https://cloudos.hpwsportal.com/#/product/%7b%22productid%22%3a%222804%22%7d/s"
},
{
"trust": 0.1,
"url": "https://cloudos.hpwsportal.com/#/product/%7b%22productid%22%3a%222800%22%7d/s"
},
{
"trust": 0.1,
"url": "http://docs.hpcloud.com/#devplatform/2.0/gibcpatch/devplatform.glibc_patch.ht"
},
{
"trust": 0.1,
"url": "https://cloudos.hpwsportal.com/#/product/%7b%22productid%22%3a%222955%22%7d/s"
},
{
"trust": 0.1,
"url": "https://cloudos.hpwsportal.com/#/product/%7b%22productid%22%3a%222923%22%7d/s"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7995"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2007-6750"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1790"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8035"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1788"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1792"
},
{
"trust": 0.1,
"url": "http://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05131085"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3195"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0799"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3567"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3237"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3513"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1789"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1791"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2015"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7501"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2017"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay/?docid=emr_"
},
{
"trust": 0.1,
"url": "http://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05111017"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-4969"
},
{
"trust": 0.1,
"url": "http://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05131044"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0205"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3568"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3508"
},
{
"trust": 0.1,
"url": "http://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05130958"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3194"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3569"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3509"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3511"
},
{
"trust": 0.1,
"url": "http://www.hpe.com/info/insightcontrol"
},
{
"trust": 0.1,
"url": "https://h20392.www2.hp.com/portal/swdepot/displayproductinfo.do?productnumber"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
},
{
"db": "CNVD",
"id": "CNVD-2016-01100"
},
{
"db": "VULHUB",
"id": "VHN-85508"
},
{
"db": "PACKETSTORM",
"id": "137497"
},
{
"db": "PACKETSTORM",
"id": "135856"
},
{
"db": "PACKETSTORM",
"id": "136808"
},
{
"db": "PACKETSTORM",
"id": "136985"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "136325"
},
{
"db": "PACKETSTORM",
"id": "137292"
},
{
"db": "PACKETSTORM",
"id": "136988"
},
{
"db": "NVD",
"id": "CVE-2015-7547"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CERT/CC",
"id": "VU#457759",
"ident": null
},
{
"db": "CNVD",
"id": "CNVD-2016-01100",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-85508",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "137497",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "135856",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "136808",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "136985",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "135793",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "136325",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "137292",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "136988",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2015-7547",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2016-02-17T00:00:00",
"db": "CERT/CC",
"id": "VU#457759",
"ident": null
},
{
"date": "2016-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-01100",
"ident": null
},
{
"date": "2016-02-18T00:00:00",
"db": "VULHUB",
"id": "VHN-85508",
"ident": null
},
{
"date": "2016-06-16T15:13:17",
"db": "PACKETSTORM",
"id": "137497",
"ident": null
},
{
"date": "2016-02-19T23:33:00",
"db": "PACKETSTORM",
"id": "135856",
"ident": null
},
{
"date": "2016-04-26T12:40:35",
"db": "PACKETSTORM",
"id": "136808",
"ident": null
},
{
"date": "2016-05-13T16:13:42",
"db": "PACKETSTORM",
"id": "136985",
"ident": null
},
{
"date": "2016-02-16T17:18:17",
"db": "PACKETSTORM",
"id": "135793",
"ident": null
},
{
"date": "2016-03-22T00:03:01",
"db": "PACKETSTORM",
"id": "136325",
"ident": null
},
{
"date": "2016-06-02T19:12:12",
"db": "PACKETSTORM",
"id": "137292",
"ident": null
},
{
"date": "2016-05-13T16:14:06",
"db": "PACKETSTORM",
"id": "136988",
"ident": null
},
{
"date": "2016-02-18T21:59:00.120000",
"db": "NVD",
"id": "CVE-2015-7547",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2016-03-14T00:00:00",
"db": "CERT/CC",
"id": "VU#457759",
"ident": null
},
{
"date": "2016-07-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-01100",
"ident": null
},
{
"date": "2023-02-12T00:00:00",
"db": "VULHUB",
"id": "VHN-85508",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-7547",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "135856"
},
{
"db": "PACKETSTORM",
"id": "137292"
}
],
"trust": 0.2
},
"title": {
"_id": null,
"data": "glibc vulnerable to stack buffer overflow in DNS resolver",
"sources": [
{
"db": "CERT/CC",
"id": "VU#457759"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "overflow, arbitrary",
"sources": [
{
"db": "PACKETSTORM",
"id": "137497"
},
{
"db": "PACKETSTORM",
"id": "136808"
},
{
"db": "PACKETSTORM",
"id": "136325"
}
],
"trust": 0.3
}
}
VAR-202105-1306
Vulnerability from variot - Updated: 2026-03-09 22:22The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. The vulnerability stems from the library's mq_notify function having a use-after-free feature. Bugs fixed (https://bugzilla.redhat.com/):
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
Security Fix(es):
-
glibc: Arbitrary read in wordexp() (CVE-2021-35942)
-
glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c (CVE-2021-27645)
-
glibc: mq_notify does not handle separately allocated thread attributes (CVE-2021-33574)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted. Bugs fixed (https://bugzilla.redhat.com/):
1871386 - glibc: Update syscall names for Linux 5.6, 5.7, and 5.8. 1912670 - semctl SEM_STAT_ANY fails to pass the buffer specified by the caller to the kernel 1927877 - CVE-2021-27645 glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c [rhel-8] 1930302 - glibc: provide IPPROTO_MPTCP definition 1932589 - CVE-2021-27645 glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c 1935128 - glibc: Rebuild glibc after objcopy fix for bug 1928936 [rhel-8.5.0] 1965408 - CVE-2021-33574 glibc: mq_notify does not handle separately allocated thread attributes 1977975 - CVE-2021-35942 glibc: Arbitrary read in wordexp()
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source: glibc-2.28-164.el8.src.rpm
aarch64: glibc-2.28-164.el8.aarch64.rpm glibc-all-langpacks-2.28-164.el8.aarch64.rpm glibc-common-2.28-164.el8.aarch64.rpm glibc-debuginfo-2.28-164.el8.aarch64.rpm glibc-devel-2.28-164.el8.aarch64.rpm glibc-headers-2.28-164.el8.aarch64.rpm glibc-langpack-aa-2.28-164.el8.aarch64.rpm glibc-langpack-af-2.28-164.el8.aarch64.rpm glibc-langpack-agr-2.28-164.el8.aarch64.rpm glibc-langpack-ak-2.28-164.el8.aarch64.rpm glibc-langpack-am-2.28-164.el8.aarch64.rpm glibc-langpack-an-2.28-164.el8.aarch64.rpm glibc-langpack-anp-2.28-164.el8.aarch64.rpm glibc-langpack-ar-2.28-164.el8.aarch64.rpm glibc-langpack-as-2.28-164.el8.aarch64.rpm glibc-langpack-ast-2.28-164.el8.aarch64.rpm glibc-langpack-ayc-2.28-164.el8.aarch64.rpm glibc-langpack-az-2.28-164.el8.aarch64.rpm glibc-langpack-be-2.28-164.el8.aarch64.rpm glibc-langpack-bem-2.28-164.el8.aarch64.rpm glibc-langpack-ber-2.28-164.el8.aarch64.rpm glibc-langpack-bg-2.28-164.el8.aarch64.rpm glibc-langpack-bhb-2.28-164.el8.aarch64.rpm glibc-langpack-bho-2.28-164.el8.aarch64.rpm glibc-langpack-bi-2.28-164.el8.aarch64.rpm glibc-langpack-bn-2.28-164.el8.aarch64.rpm glibc-langpack-bo-2.28-164.el8.aarch64.rpm glibc-langpack-br-2.28-164.el8.aarch64.rpm glibc-langpack-brx-2.28-164.el8.aarch64.rpm glibc-langpack-bs-2.28-164.el8.aarch64.rpm glibc-langpack-byn-2.28-164.el8.aarch64.rpm glibc-langpack-ca-2.28-164.el8.aarch64.rpm glibc-langpack-ce-2.28-164.el8.aarch64.rpm glibc-langpack-chr-2.28-164.el8.aarch64.rpm glibc-langpack-cmn-2.28-164.el8.aarch64.rpm glibc-langpack-crh-2.28-164.el8.aarch64.rpm glibc-langpack-cs-2.28-164.el8.aarch64.rpm glibc-langpack-csb-2.28-164.el8.aarch64.rpm glibc-langpack-cv-2.28-164.el8.aarch64.rpm glibc-langpack-cy-2.28-164.el8.aarch64.rpm glibc-langpack-da-2.28-164.el8.aarch64.rpm glibc-langpack-de-2.28-164.el8.aarch64.rpm glibc-langpack-doi-2.28-164.el8.aarch64.rpm glibc-langpack-dsb-2.28-164.el8.aarch64.rpm glibc-langpack-dv-2.28-164.el8.aarch64.rpm glibc-langpack-dz-2.28-164.el8.aarch64.rpm glibc-langpack-el-2.28-164.el8.aarch64.rpm glibc-langpack-en-2.28-164.el8.aarch64.rpm glibc-langpack-eo-2.28-164.el8.aarch64.rpm glibc-langpack-es-2.28-164.el8.aarch64.rpm glibc-langpack-et-2.28-164.el8.aarch64.rpm glibc-langpack-eu-2.28-164.el8.aarch64.rpm glibc-langpack-fa-2.28-164.el8.aarch64.rpm glibc-langpack-ff-2.28-164.el8.aarch64.rpm glibc-langpack-fi-2.28-164.el8.aarch64.rpm glibc-langpack-fil-2.28-164.el8.aarch64.rpm glibc-langpack-fo-2.28-164.el8.aarch64.rpm glibc-langpack-fr-2.28-164.el8.aarch64.rpm glibc-langpack-fur-2.28-164.el8.aarch64.rpm glibc-langpack-fy-2.28-164.el8.aarch64.rpm glibc-langpack-ga-2.28-164.el8.aarch64.rpm glibc-langpack-gd-2.28-164.el8.aarch64.rpm glibc-langpack-gez-2.28-164.el8.aarch64.rpm glibc-langpack-gl-2.28-164.el8.aarch64.rpm glibc-langpack-gu-2.28-164.el8.aarch64.rpm glibc-langpack-gv-2.28-164.el8.aarch64.rpm glibc-langpack-ha-2.28-164.el8.aarch64.rpm glibc-langpack-hak-2.28-164.el8.aarch64.rpm glibc-langpack-he-2.28-164.el8.aarch64.rpm glibc-langpack-hi-2.28-164.el8.aarch64.rpm glibc-langpack-hif-2.28-164.el8.aarch64.rpm glibc-langpack-hne-2.28-164.el8.aarch64.rpm glibc-langpack-hr-2.28-164.el8.aarch64.rpm glibc-langpack-hsb-2.28-164.el8.aarch64.rpm glibc-langpack-ht-2.28-164.el8.aarch64.rpm glibc-langpack-hu-2.28-164.el8.aarch64.rpm glibc-langpack-hy-2.28-164.el8.aarch64.rpm glibc-langpack-ia-2.28-164.el8.aarch64.rpm glibc-langpack-id-2.28-164.el8.aarch64.rpm glibc-langpack-ig-2.28-164.el8.aarch64.rpm glibc-langpack-ik-2.28-164.el8.aarch64.rpm glibc-langpack-is-2.28-164.el8.aarch64.rpm glibc-langpack-it-2.28-164.el8.aarch64.rpm glibc-langpack-iu-2.28-164.el8.aarch64.rpm glibc-langpack-ja-2.28-164.el8.aarch64.rpm glibc-langpack-ka-2.28-164.el8.aarch64.rpm glibc-langpack-kab-2.28-164.el8.aarch64.rpm glibc-langpack-kk-2.28-164.el8.aarch64.rpm glibc-langpack-kl-2.28-164.el8.aarch64.rpm glibc-langpack-km-2.28-164.el8.aarch64.rpm glibc-langpack-kn-2.28-164.el8.aarch64.rpm glibc-langpack-ko-2.28-164.el8.aarch64.rpm glibc-langpack-kok-2.28-164.el8.aarch64.rpm glibc-langpack-ks-2.28-164.el8.aarch64.rpm glibc-langpack-ku-2.28-164.el8.aarch64.rpm glibc-langpack-kw-2.28-164.el8.aarch64.rpm glibc-langpack-ky-2.28-164.el8.aarch64.rpm glibc-langpack-lb-2.28-164.el8.aarch64.rpm glibc-langpack-lg-2.28-164.el8.aarch64.rpm glibc-langpack-li-2.28-164.el8.aarch64.rpm glibc-langpack-lij-2.28-164.el8.aarch64.rpm glibc-langpack-ln-2.28-164.el8.aarch64.rpm glibc-langpack-lo-2.28-164.el8.aarch64.rpm glibc-langpack-lt-2.28-164.el8.aarch64.rpm glibc-langpack-lv-2.28-164.el8.aarch64.rpm glibc-langpack-lzh-2.28-164.el8.aarch64.rpm glibc-langpack-mag-2.28-164.el8.aarch64.rpm glibc-langpack-mai-2.28-164.el8.aarch64.rpm glibc-langpack-mfe-2.28-164.el8.aarch64.rpm glibc-langpack-mg-2.28-164.el8.aarch64.rpm glibc-langpack-mhr-2.28-164.el8.aarch64.rpm glibc-langpack-mi-2.28-164.el8.aarch64.rpm glibc-langpack-miq-2.28-164.el8.aarch64.rpm glibc-langpack-mjw-2.28-164.el8.aarch64.rpm glibc-langpack-mk-2.28-164.el8.aarch64.rpm glibc-langpack-ml-2.28-164.el8.aarch64.rpm glibc-langpack-mn-2.28-164.el8.aarch64.rpm glibc-langpack-mni-2.28-164.el8.aarch64.rpm glibc-langpack-mr-2.28-164.el8.aarch64.rpm glibc-langpack-ms-2.28-164.el8.aarch64.rpm glibc-langpack-mt-2.28-164.el8.aarch64.rpm glibc-langpack-my-2.28-164.el8.aarch64.rpm glibc-langpack-nan-2.28-164.el8.aarch64.rpm glibc-langpack-nb-2.28-164.el8.aarch64.rpm glibc-langpack-nds-2.28-164.el8.aarch64.rpm glibc-langpack-ne-2.28-164.el8.aarch64.rpm glibc-langpack-nhn-2.28-164.el8.aarch64.rpm glibc-langpack-niu-2.28-164.el8.aarch64.rpm glibc-langpack-nl-2.28-164.el8.aarch64.rpm glibc-langpack-nn-2.28-164.el8.aarch64.rpm glibc-langpack-nr-2.28-164.el8.aarch64.rpm glibc-langpack-nso-2.28-164.el8.aarch64.rpm glibc-langpack-oc-2.28-164.el8.aarch64.rpm glibc-langpack-om-2.28-164.el8.aarch64.rpm glibc-langpack-or-2.28-164.el8.aarch64.rpm glibc-langpack-os-2.28-164.el8.aarch64.rpm glibc-langpack-pa-2.28-164.el8.aarch64.rpm glibc-langpack-pap-2.28-164.el8.aarch64.rpm glibc-langpack-pl-2.28-164.el8.aarch64.rpm glibc-langpack-ps-2.28-164.el8.aarch64.rpm glibc-langpack-pt-2.28-164.el8.aarch64.rpm glibc-langpack-quz-2.28-164.el8.aarch64.rpm glibc-langpack-raj-2.28-164.el8.aarch64.rpm glibc-langpack-ro-2.28-164.el8.aarch64.rpm glibc-langpack-ru-2.28-164.el8.aarch64.rpm glibc-langpack-rw-2.28-164.el8.aarch64.rpm glibc-langpack-sa-2.28-164.el8.aarch64.rpm glibc-langpack-sah-2.28-164.el8.aarch64.rpm glibc-langpack-sat-2.28-164.el8.aarch64.rpm glibc-langpack-sc-2.28-164.el8.aarch64.rpm glibc-langpack-sd-2.28-164.el8.aarch64.rpm glibc-langpack-se-2.28-164.el8.aarch64.rpm glibc-langpack-sgs-2.28-164.el8.aarch64.rpm glibc-langpack-shn-2.28-164.el8.aarch64.rpm glibc-langpack-shs-2.28-164.el8.aarch64.rpm glibc-langpack-si-2.28-164.el8.aarch64.rpm glibc-langpack-sid-2.28-164.el8.aarch64.rpm glibc-langpack-sk-2.28-164.el8.aarch64.rpm glibc-langpack-sl-2.28-164.el8.aarch64.rpm glibc-langpack-sm-2.28-164.el8.aarch64.rpm glibc-langpack-so-2.28-164.el8.aarch64.rpm glibc-langpack-sq-2.28-164.el8.aarch64.rpm glibc-langpack-sr-2.28-164.el8.aarch64.rpm glibc-langpack-ss-2.28-164.el8.aarch64.rpm glibc-langpack-st-2.28-164.el8.aarch64.rpm glibc-langpack-sv-2.28-164.el8.aarch64.rpm glibc-langpack-sw-2.28-164.el8.aarch64.rpm glibc-langpack-szl-2.28-164.el8.aarch64.rpm glibc-langpack-ta-2.28-164.el8.aarch64.rpm glibc-langpack-tcy-2.28-164.el8.aarch64.rpm glibc-langpack-te-2.28-164.el8.aarch64.rpm glibc-langpack-tg-2.28-164.el8.aarch64.rpm glibc-langpack-th-2.28-164.el8.aarch64.rpm glibc-langpack-the-2.28-164.el8.aarch64.rpm glibc-langpack-ti-2.28-164.el8.aarch64.rpm glibc-langpack-tig-2.28-164.el8.aarch64.rpm glibc-langpack-tk-2.28-164.el8.aarch64.rpm glibc-langpack-tl-2.28-164.el8.aarch64.rpm glibc-langpack-tn-2.28-164.el8.aarch64.rpm glibc-langpack-to-2.28-164.el8.aarch64.rpm glibc-langpack-tpi-2.28-164.el8.aarch64.rpm glibc-langpack-tr-2.28-164.el8.aarch64.rpm glibc-langpack-ts-2.28-164.el8.aarch64.rpm glibc-langpack-tt-2.28-164.el8.aarch64.rpm glibc-langpack-ug-2.28-164.el8.aarch64.rpm glibc-langpack-uk-2.28-164.el8.aarch64.rpm glibc-langpack-unm-2.28-164.el8.aarch64.rpm glibc-langpack-ur-2.28-164.el8.aarch64.rpm glibc-langpack-uz-2.28-164.el8.aarch64.rpm glibc-langpack-ve-2.28-164.el8.aarch64.rpm glibc-langpack-vi-2.28-164.el8.aarch64.rpm glibc-langpack-wa-2.28-164.el8.aarch64.rpm glibc-langpack-wae-2.28-164.el8.aarch64.rpm glibc-langpack-wal-2.28-164.el8.aarch64.rpm glibc-langpack-wo-2.28-164.el8.aarch64.rpm glibc-langpack-xh-2.28-164.el8.aarch64.rpm glibc-langpack-yi-2.28-164.el8.aarch64.rpm glibc-langpack-yo-2.28-164.el8.aarch64.rpm glibc-langpack-yue-2.28-164.el8.aarch64.rpm glibc-langpack-yuw-2.28-164.el8.aarch64.rpm glibc-langpack-zh-2.28-164.el8.aarch64.rpm glibc-langpack-zu-2.28-164.el8.aarch64.rpm glibc-locale-source-2.28-164.el8.aarch64.rpm glibc-minimal-langpack-2.28-164.el8.aarch64.rpm libnsl-2.28-164.el8.aarch64.rpm nscd-2.28-164.el8.aarch64.rpm nss_db-2.28-164.el8.aarch64.rpm
ppc64le: glibc-2.28-164.el8.ppc64le.rpm glibc-all-langpacks-2.28-164.el8.ppc64le.rpm glibc-common-2.28-164.el8.ppc64le.rpm glibc-debuginfo-2.28-164.el8.ppc64le.rpm glibc-debuginfo-common-2.28-164.el8.ppc64le.rpm glibc-devel-2.28-164.el8.ppc64le.rpm glibc-headers-2.28-164.el8.ppc64le.rpm glibc-langpack-aa-2.28-164.el8.ppc64le.rpm glibc-langpack-af-2.28-164.el8.ppc64le.rpm glibc-langpack-agr-2.28-164.el8.ppc64le.rpm glibc-langpack-ak-2.28-164.el8.ppc64le.rpm glibc-langpack-am-2.28-164.el8.ppc64le.rpm glibc-langpack-an-2.28-164.el8.ppc64le.rpm glibc-langpack-anp-2.28-164.el8.ppc64le.rpm glibc-langpack-ar-2.28-164.el8.ppc64le.rpm glibc-langpack-as-2.28-164.el8.ppc64le.rpm glibc-langpack-ast-2.28-164.el8.ppc64le.rpm glibc-langpack-ayc-2.28-164.el8.ppc64le.rpm glibc-langpack-az-2.28-164.el8.ppc64le.rpm glibc-langpack-be-2.28-164.el8.ppc64le.rpm glibc-langpack-bem-2.28-164.el8.ppc64le.rpm glibc-langpack-ber-2.28-164.el8.ppc64le.rpm glibc-langpack-bg-2.28-164.el8.ppc64le.rpm glibc-langpack-bhb-2.28-164.el8.ppc64le.rpm glibc-langpack-bho-2.28-164.el8.ppc64le.rpm glibc-langpack-bi-2.28-164.el8.ppc64le.rpm glibc-langpack-bn-2.28-164.el8.ppc64le.rpm glibc-langpack-bo-2.28-164.el8.ppc64le.rpm glibc-langpack-br-2.28-164.el8.ppc64le.rpm glibc-langpack-brx-2.28-164.el8.ppc64le.rpm glibc-langpack-bs-2.28-164.el8.ppc64le.rpm glibc-langpack-byn-2.28-164.el8.ppc64le.rpm glibc-langpack-ca-2.28-164.el8.ppc64le.rpm glibc-langpack-ce-2.28-164.el8.ppc64le.rpm glibc-langpack-chr-2.28-164.el8.ppc64le.rpm glibc-langpack-cmn-2.28-164.el8.ppc64le.rpm glibc-langpack-crh-2.28-164.el8.ppc64le.rpm glibc-langpack-cs-2.28-164.el8.ppc64le.rpm glibc-langpack-csb-2.28-164.el8.ppc64le.rpm glibc-langpack-cv-2.28-164.el8.ppc64le.rpm glibc-langpack-cy-2.28-164.el8.ppc64le.rpm glibc-langpack-da-2.28-164.el8.ppc64le.rpm glibc-langpack-de-2.28-164.el8.ppc64le.rpm glibc-langpack-doi-2.28-164.el8.ppc64le.rpm glibc-langpack-dsb-2.28-164.el8.ppc64le.rpm glibc-langpack-dv-2.28-164.el8.ppc64le.rpm glibc-langpack-dz-2.28-164.el8.ppc64le.rpm glibc-langpack-el-2.28-164.el8.ppc64le.rpm glibc-langpack-en-2.28-164.el8.ppc64le.rpm glibc-langpack-eo-2.28-164.el8.ppc64le.rpm glibc-langpack-es-2.28-164.el8.ppc64le.rpm glibc-langpack-et-2.28-164.el8.ppc64le.rpm glibc-langpack-eu-2.28-164.el8.ppc64le.rpm glibc-langpack-fa-2.28-164.el8.ppc64le.rpm glibc-langpack-ff-2.28-164.el8.ppc64le.rpm glibc-langpack-fi-2.28-164.el8.ppc64le.rpm glibc-langpack-fil-2.28-164.el8.ppc64le.rpm glibc-langpack-fo-2.28-164.el8.ppc64le.rpm glibc-langpack-fr-2.28-164.el8.ppc64le.rpm glibc-langpack-fur-2.28-164.el8.ppc64le.rpm glibc-langpack-fy-2.28-164.el8.ppc64le.rpm glibc-langpack-ga-2.28-164.el8.ppc64le.rpm glibc-langpack-gd-2.28-164.el8.ppc64le.rpm glibc-langpack-gez-2.28-164.el8.ppc64le.rpm glibc-langpack-gl-2.28-164.el8.ppc64le.rpm glibc-langpack-gu-2.28-164.el8.ppc64le.rpm glibc-langpack-gv-2.28-164.el8.ppc64le.rpm glibc-langpack-ha-2.28-164.el8.ppc64le.rpm glibc-langpack-hak-2.28-164.el8.ppc64le.rpm glibc-langpack-he-2.28-164.el8.ppc64le.rpm glibc-langpack-hi-2.28-164.el8.ppc64le.rpm glibc-langpack-hif-2.28-164.el8.ppc64le.rpm glibc-langpack-hne-2.28-164.el8.ppc64le.rpm glibc-langpack-hr-2.28-164.el8.ppc64le.rpm glibc-langpack-hsb-2.28-164.el8.ppc64le.rpm glibc-langpack-ht-2.28-164.el8.ppc64le.rpm glibc-langpack-hu-2.28-164.el8.ppc64le.rpm glibc-langpack-hy-2.28-164.el8.ppc64le.rpm glibc-langpack-ia-2.28-164.el8.ppc64le.rpm glibc-langpack-id-2.28-164.el8.ppc64le.rpm glibc-langpack-ig-2.28-164.el8.ppc64le.rpm glibc-langpack-ik-2.28-164.el8.ppc64le.rpm glibc-langpack-is-2.28-164.el8.ppc64le.rpm glibc-langpack-it-2.28-164.el8.ppc64le.rpm glibc-langpack-iu-2.28-164.el8.ppc64le.rpm glibc-langpack-ja-2.28-164.el8.ppc64le.rpm glibc-langpack-ka-2.28-164.el8.ppc64le.rpm glibc-langpack-kab-2.28-164.el8.ppc64le.rpm glibc-langpack-kk-2.28-164.el8.ppc64le.rpm glibc-langpack-kl-2.28-164.el8.ppc64le.rpm glibc-langpack-km-2.28-164.el8.ppc64le.rpm glibc-langpack-kn-2.28-164.el8.ppc64le.rpm glibc-langpack-ko-2.28-164.el8.ppc64le.rpm glibc-langpack-kok-2.28-164.el8.ppc64le.rpm glibc-langpack-ks-2.28-164.el8.ppc64le.rpm glibc-langpack-ku-2.28-164.el8.ppc64le.rpm glibc-langpack-kw-2.28-164.el8.ppc64le.rpm glibc-langpack-ky-2.28-164.el8.ppc64le.rpm glibc-langpack-lb-2.28-164.el8.ppc64le.rpm glibc-langpack-lg-2.28-164.el8.ppc64le.rpm glibc-langpack-li-2.28-164.el8.ppc64le.rpm glibc-langpack-lij-2.28-164.el8.ppc64le.rpm glibc-langpack-ln-2.28-164.el8.ppc64le.rpm glibc-langpack-lo-2.28-164.el8.ppc64le.rpm glibc-langpack-lt-2.28-164.el8.ppc64le.rpm glibc-langpack-lv-2.28-164.el8.ppc64le.rpm glibc-langpack-lzh-2.28-164.el8.ppc64le.rpm glibc-langpack-mag-2.28-164.el8.ppc64le.rpm glibc-langpack-mai-2.28-164.el8.ppc64le.rpm glibc-langpack-mfe-2.28-164.el8.ppc64le.rpm glibc-langpack-mg-2.28-164.el8.ppc64le.rpm glibc-langpack-mhr-2.28-164.el8.ppc64le.rpm glibc-langpack-mi-2.28-164.el8.ppc64le.rpm glibc-langpack-miq-2.28-164.el8.ppc64le.rpm glibc-langpack-mjw-2.28-164.el8.ppc64le.rpm glibc-langpack-mk-2.28-164.el8.ppc64le.rpm glibc-langpack-ml-2.28-164.el8.ppc64le.rpm glibc-langpack-mn-2.28-164.el8.ppc64le.rpm glibc-langpack-mni-2.28-164.el8.ppc64le.rpm glibc-langpack-mr-2.28-164.el8.ppc64le.rpm glibc-langpack-ms-2.28-164.el8.ppc64le.rpm glibc-langpack-mt-2.28-164.el8.ppc64le.rpm glibc-langpack-my-2.28-164.el8.ppc64le.rpm glibc-langpack-nan-2.28-164.el8.ppc64le.rpm glibc-langpack-nb-2.28-164.el8.ppc64le.rpm glibc-langpack-nds-2.28-164.el8.ppc64le.rpm glibc-langpack-ne-2.28-164.el8.ppc64le.rpm glibc-langpack-nhn-2.28-164.el8.ppc64le.rpm glibc-langpack-niu-2.28-164.el8.ppc64le.rpm glibc-langpack-nl-2.28-164.el8.ppc64le.rpm glibc-langpack-nn-2.28-164.el8.ppc64le.rpm glibc-langpack-nr-2.28-164.el8.ppc64le.rpm glibc-langpack-nso-2.28-164.el8.ppc64le.rpm glibc-langpack-oc-2.28-164.el8.ppc64le.rpm glibc-langpack-om-2.28-164.el8.ppc64le.rpm glibc-langpack-or-2.28-164.el8.ppc64le.rpm glibc-langpack-os-2.28-164.el8.ppc64le.rpm glibc-langpack-pa-2.28-164.el8.ppc64le.rpm glibc-langpack-pap-2.28-164.el8.ppc64le.rpm glibc-langpack-pl-2.28-164.el8.ppc64le.rpm glibc-langpack-ps-2.28-164.el8.ppc64le.rpm glibc-langpack-pt-2.28-164.el8.ppc64le.rpm glibc-langpack-quz-2.28-164.el8.ppc64le.rpm glibc-langpack-raj-2.28-164.el8.ppc64le.rpm glibc-langpack-ro-2.28-164.el8.ppc64le.rpm glibc-langpack-ru-2.28-164.el8.ppc64le.rpm glibc-langpack-rw-2.28-164.el8.ppc64le.rpm glibc-langpack-sa-2.28-164.el8.ppc64le.rpm glibc-langpack-sah-2.28-164.el8.ppc64le.rpm glibc-langpack-sat-2.28-164.el8.ppc64le.rpm glibc-langpack-sc-2.28-164.el8.ppc64le.rpm glibc-langpack-sd-2.28-164.el8.ppc64le.rpm glibc-langpack-se-2.28-164.el8.ppc64le.rpm glibc-langpack-sgs-2.28-164.el8.ppc64le.rpm glibc-langpack-shn-2.28-164.el8.ppc64le.rpm glibc-langpack-shs-2.28-164.el8.ppc64le.rpm glibc-langpack-si-2.28-164.el8.ppc64le.rpm glibc-langpack-sid-2.28-164.el8.ppc64le.rpm glibc-langpack-sk-2.28-164.el8.ppc64le.rpm glibc-langpack-sl-2.28-164.el8.ppc64le.rpm glibc-langpack-sm-2.28-164.el8.ppc64le.rpm glibc-langpack-so-2.28-164.el8.ppc64le.rpm glibc-langpack-sq-2.28-164.el8.ppc64le.rpm glibc-langpack-sr-2.28-164.el8.ppc64le.rpm glibc-langpack-ss-2.28-164.el8.ppc64le.rpm glibc-langpack-st-2.28-164.el8.ppc64le.rpm glibc-langpack-sv-2.28-164.el8.ppc64le.rpm glibc-langpack-sw-2.28-164.el8.ppc64le.rpm glibc-langpack-szl-2.28-164.el8.ppc64le.rpm glibc-langpack-ta-2.28-164.el8.ppc64le.rpm glibc-langpack-tcy-2.28-164.el8.ppc64le.rpm glibc-langpack-te-2.28-164.el8.ppc64le.rpm glibc-langpack-tg-2.28-164.el8.ppc64le.rpm glibc-langpack-th-2.28-164.el8.ppc64le.rpm glibc-langpack-the-2.28-164.el8.ppc64le.rpm glibc-langpack-ti-2.28-164.el8.ppc64le.rpm glibc-langpack-tig-2.28-164.el8.ppc64le.rpm glibc-langpack-tk-2.28-164.el8.ppc64le.rpm glibc-langpack-tl-2.28-164.el8.ppc64le.rpm glibc-langpack-tn-2.28-164.el8.ppc64le.rpm glibc-langpack-to-2.28-164.el8.ppc64le.rpm glibc-langpack-tpi-2.28-164.el8.ppc64le.rpm glibc-langpack-tr-2.28-164.el8.ppc64le.rpm glibc-langpack-ts-2.28-164.el8.ppc64le.rpm glibc-langpack-tt-2.28-164.el8.ppc64le.rpm glibc-langpack-ug-2.28-164.el8.ppc64le.rpm glibc-langpack-uk-2.28-164.el8.ppc64le.rpm glibc-langpack-unm-2.28-164.el8.ppc64le.rpm glibc-langpack-ur-2.28-164.el8.ppc64le.rpm glibc-langpack-uz-2.28-164.el8.ppc64le.rpm glibc-langpack-ve-2.28-164.el8.ppc64le.rpm glibc-langpack-vi-2.28-164.el8.ppc64le.rpm glibc-langpack-wa-2.28-164.el8.ppc64le.rpm glibc-langpack-wae-2.28-164.el8.ppc64le.rpm glibc-langpack-wal-2.28-164.el8.ppc64le.rpm glibc-langpack-wo-2.28-164.el8.ppc64le.rpm glibc-langpack-xh-2.28-164.el8.ppc64le.rpm glibc-langpack-yi-2.28-164.el8.ppc64le.rpm glibc-langpack-yo-2.28-164.el8.ppc64le.rpm glibc-langpack-yue-2.28-164.el8.ppc64le.rpm glibc-langpack-yuw-2.28-164.el8.ppc64le.rpm glibc-langpack-zh-2.28-164.el8.ppc64le.rpm glibc-langpack-zu-2.28-164.el8.ppc64le.rpm glibc-locale-source-2.28-164.el8.ppc64le.rpm glibc-minimal-langpack-2.28-164.el8.ppc64le.rpm libnsl-2.28-164.el8.ppc64le.rpm nscd-2.28-164.el8.ppc64le.rpm nss_db-2.28-164.el8.ppc64le.rpm
s390x: glibc-2.28-164.el8.s390x.rpm glibc-all-langpacks-2.28-164.el8.s390x.rpm glibc-common-2.28-164.el8.s390x.rpm glibc-debuginfo-2.28-164.el8.s390x.rpm glibc-debuginfo-common-2.28-164.el8.s390x.rpm glibc-devel-2.28-164.el8.s390x.rpm glibc-headers-2.28-164.el8.s390x.rpm glibc-langpack-aa-2.28-164.el8.s390x.rpm glibc-langpack-af-2.28-164.el8.s390x.rpm glibc-langpack-agr-2.28-164.el8.s390x.rpm glibc-langpack-ak-2.28-164.el8.s390x.rpm glibc-langpack-am-2.28-164.el8.s390x.rpm glibc-langpack-an-2.28-164.el8.s390x.rpm glibc-langpack-anp-2.28-164.el8.s390x.rpm glibc-langpack-ar-2.28-164.el8.s390x.rpm glibc-langpack-as-2.28-164.el8.s390x.rpm glibc-langpack-ast-2.28-164.el8.s390x.rpm glibc-langpack-ayc-2.28-164.el8.s390x.rpm glibc-langpack-az-2.28-164.el8.s390x.rpm glibc-langpack-be-2.28-164.el8.s390x.rpm glibc-langpack-bem-2.28-164.el8.s390x.rpm glibc-langpack-ber-2.28-164.el8.s390x.rpm glibc-langpack-bg-2.28-164.el8.s390x.rpm glibc-langpack-bhb-2.28-164.el8.s390x.rpm glibc-langpack-bho-2.28-164.el8.s390x.rpm glibc-langpack-bi-2.28-164.el8.s390x.rpm glibc-langpack-bn-2.28-164.el8.s390x.rpm glibc-langpack-bo-2.28-164.el8.s390x.rpm glibc-langpack-br-2.28-164.el8.s390x.rpm glibc-langpack-brx-2.28-164.el8.s390x.rpm glibc-langpack-bs-2.28-164.el8.s390x.rpm glibc-langpack-byn-2.28-164.el8.s390x.rpm glibc-langpack-ca-2.28-164.el8.s390x.rpm glibc-langpack-ce-2.28-164.el8.s390x.rpm glibc-langpack-chr-2.28-164.el8.s390x.rpm glibc-langpack-cmn-2.28-164.el8.s390x.rpm glibc-langpack-crh-2.28-164.el8.s390x.rpm glibc-langpack-cs-2.28-164.el8.s390x.rpm glibc-langpack-csb-2.28-164.el8.s390x.rpm glibc-langpack-cv-2.28-164.el8.s390x.rpm glibc-langpack-cy-2.28-164.el8.s390x.rpm glibc-langpack-da-2.28-164.el8.s390x.rpm glibc-langpack-de-2.28-164.el8.s390x.rpm glibc-langpack-doi-2.28-164.el8.s390x.rpm glibc-langpack-dsb-2.28-164.el8.s390x.rpm glibc-langpack-dv-2.28-164.el8.s390x.rpm glibc-langpack-dz-2.28-164.el8.s390x.rpm glibc-langpack-el-2.28-164.el8.s390x.rpm glibc-langpack-en-2.28-164.el8.s390x.rpm glibc-langpack-eo-2.28-164.el8.s390x.rpm glibc-langpack-es-2.28-164.el8.s390x.rpm glibc-langpack-et-2.28-164.el8.s390x.rpm glibc-langpack-eu-2.28-164.el8.s390x.rpm glibc-langpack-fa-2.28-164.el8.s390x.rpm glibc-langpack-ff-2.28-164.el8.s390x.rpm glibc-langpack-fi-2.28-164.el8.s390x.rpm glibc-langpack-fil-2.28-164.el8.s390x.rpm glibc-langpack-fo-2.28-164.el8.s390x.rpm glibc-langpack-fr-2.28-164.el8.s390x.rpm glibc-langpack-fur-2.28-164.el8.s390x.rpm glibc-langpack-fy-2.28-164.el8.s390x.rpm glibc-langpack-ga-2.28-164.el8.s390x.rpm glibc-langpack-gd-2.28-164.el8.s390x.rpm glibc-langpack-gez-2.28-164.el8.s390x.rpm glibc-langpack-gl-2.28-164.el8.s390x.rpm glibc-langpack-gu-2.28-164.el8.s390x.rpm glibc-langpack-gv-2.28-164.el8.s390x.rpm glibc-langpack-ha-2.28-164.el8.s390x.rpm glibc-langpack-hak-2.28-164.el8.s390x.rpm glibc-langpack-he-2.28-164.el8.s390x.rpm glibc-langpack-hi-2.28-164.el8.s390x.rpm glibc-langpack-hif-2.28-164.el8.s390x.rpm glibc-langpack-hne-2.28-164.el8.s390x.rpm glibc-langpack-hr-2.28-164.el8.s390x.rpm glibc-langpack-hsb-2.28-164.el8.s390x.rpm glibc-langpack-ht-2.28-164.el8.s390x.rpm glibc-langpack-hu-2.28-164.el8.s390x.rpm glibc-langpack-hy-2.28-164.el8.s390x.rpm glibc-langpack-ia-2.28-164.el8.s390x.rpm glibc-langpack-id-2.28-164.el8.s390x.rpm glibc-langpack-ig-2.28-164.el8.s390x.rpm glibc-langpack-ik-2.28-164.el8.s390x.rpm glibc-langpack-is-2.28-164.el8.s390x.rpm glibc-langpack-it-2.28-164.el8.s390x.rpm glibc-langpack-iu-2.28-164.el8.s390x.rpm glibc-langpack-ja-2.28-164.el8.s390x.rpm glibc-langpack-ka-2.28-164.el8.s390x.rpm glibc-langpack-kab-2.28-164.el8.s390x.rpm glibc-langpack-kk-2.28-164.el8.s390x.rpm glibc-langpack-kl-2.28-164.el8.s390x.rpm glibc-langpack-km-2.28-164.el8.s390x.rpm glibc-langpack-kn-2.28-164.el8.s390x.rpm glibc-langpack-ko-2.28-164.el8.s390x.rpm glibc-langpack-kok-2.28-164.el8.s390x.rpm glibc-langpack-ks-2.28-164.el8.s390x.rpm glibc-langpack-ku-2.28-164.el8.s390x.rpm glibc-langpack-kw-2.28-164.el8.s390x.rpm glibc-langpack-ky-2.28-164.el8.s390x.rpm glibc-langpack-lb-2.28-164.el8.s390x.rpm glibc-langpack-lg-2.28-164.el8.s390x.rpm glibc-langpack-li-2.28-164.el8.s390x.rpm glibc-langpack-lij-2.28-164.el8.s390x.rpm glibc-langpack-ln-2.28-164.el8.s390x.rpm glibc-langpack-lo-2.28-164.el8.s390x.rpm glibc-langpack-lt-2.28-164.el8.s390x.rpm glibc-langpack-lv-2.28-164.el8.s390x.rpm glibc-langpack-lzh-2.28-164.el8.s390x.rpm glibc-langpack-mag-2.28-164.el8.s390x.rpm glibc-langpack-mai-2.28-164.el8.s390x.rpm glibc-langpack-mfe-2.28-164.el8.s390x.rpm glibc-langpack-mg-2.28-164.el8.s390x.rpm glibc-langpack-mhr-2.28-164.el8.s390x.rpm glibc-langpack-mi-2.28-164.el8.s390x.rpm glibc-langpack-miq-2.28-164.el8.s390x.rpm glibc-langpack-mjw-2.28-164.el8.s390x.rpm glibc-langpack-mk-2.28-164.el8.s390x.rpm glibc-langpack-ml-2.28-164.el8.s390x.rpm glibc-langpack-mn-2.28-164.el8.s390x.rpm glibc-langpack-mni-2.28-164.el8.s390x.rpm glibc-langpack-mr-2.28-164.el8.s390x.rpm glibc-langpack-ms-2.28-164.el8.s390x.rpm glibc-langpack-mt-2.28-164.el8.s390x.rpm glibc-langpack-my-2.28-164.el8.s390x.rpm glibc-langpack-nan-2.28-164.el8.s390x.rpm glibc-langpack-nb-2.28-164.el8.s390x.rpm glibc-langpack-nds-2.28-164.el8.s390x.rpm glibc-langpack-ne-2.28-164.el8.s390x.rpm glibc-langpack-nhn-2.28-164.el8.s390x.rpm glibc-langpack-niu-2.28-164.el8.s390x.rpm glibc-langpack-nl-2.28-164.el8.s390x.rpm glibc-langpack-nn-2.28-164.el8.s390x.rpm glibc-langpack-nr-2.28-164.el8.s390x.rpm glibc-langpack-nso-2.28-164.el8.s390x.rpm glibc-langpack-oc-2.28-164.el8.s390x.rpm glibc-langpack-om-2.28-164.el8.s390x.rpm glibc-langpack-or-2.28-164.el8.s390x.rpm glibc-langpack-os-2.28-164.el8.s390x.rpm glibc-langpack-pa-2.28-164.el8.s390x.rpm glibc-langpack-pap-2.28-164.el8.s390x.rpm glibc-langpack-pl-2.28-164.el8.s390x.rpm glibc-langpack-ps-2.28-164.el8.s390x.rpm glibc-langpack-pt-2.28-164.el8.s390x.rpm glibc-langpack-quz-2.28-164.el8.s390x.rpm glibc-langpack-raj-2.28-164.el8.s390x.rpm glibc-langpack-ro-2.28-164.el8.s390x.rpm glibc-langpack-ru-2.28-164.el8.s390x.rpm glibc-langpack-rw-2.28-164.el8.s390x.rpm glibc-langpack-sa-2.28-164.el8.s390x.rpm glibc-langpack-sah-2.28-164.el8.s390x.rpm glibc-langpack-sat-2.28-164.el8.s390x.rpm glibc-langpack-sc-2.28-164.el8.s390x.rpm glibc-langpack-sd-2.28-164.el8.s390x.rpm glibc-langpack-se-2.28-164.el8.s390x.rpm glibc-langpack-sgs-2.28-164.el8.s390x.rpm glibc-langpack-shn-2.28-164.el8.s390x.rpm glibc-langpack-shs-2.28-164.el8.s390x.rpm glibc-langpack-si-2.28-164.el8.s390x.rpm glibc-langpack-sid-2.28-164.el8.s390x.rpm glibc-langpack-sk-2.28-164.el8.s390x.rpm glibc-langpack-sl-2.28-164.el8.s390x.rpm glibc-langpack-sm-2.28-164.el8.s390x.rpm glibc-langpack-so-2.28-164.el8.s390x.rpm glibc-langpack-sq-2.28-164.el8.s390x.rpm glibc-langpack-sr-2.28-164.el8.s390x.rpm glibc-langpack-ss-2.28-164.el8.s390x.rpm glibc-langpack-st-2.28-164.el8.s390x.rpm glibc-langpack-sv-2.28-164.el8.s390x.rpm glibc-langpack-sw-2.28-164.el8.s390x.rpm glibc-langpack-szl-2.28-164.el8.s390x.rpm glibc-langpack-ta-2.28-164.el8.s390x.rpm glibc-langpack-tcy-2.28-164.el8.s390x.rpm glibc-langpack-te-2.28-164.el8.s390x.rpm glibc-langpack-tg-2.28-164.el8.s390x.rpm glibc-langpack-th-2.28-164.el8.s390x.rpm glibc-langpack-the-2.28-164.el8.s390x.rpm glibc-langpack-ti-2.28-164.el8.s390x.rpm glibc-langpack-tig-2.28-164.el8.s390x.rpm glibc-langpack-tk-2.28-164.el8.s390x.rpm glibc-langpack-tl-2.28-164.el8.s390x.rpm glibc-langpack-tn-2.28-164.el8.s390x.rpm glibc-langpack-to-2.28-164.el8.s390x.rpm glibc-langpack-tpi-2.28-164.el8.s390x.rpm glibc-langpack-tr-2.28-164.el8.s390x.rpm glibc-langpack-ts-2.28-164.el8.s390x.rpm glibc-langpack-tt-2.28-164.el8.s390x.rpm glibc-langpack-ug-2.28-164.el8.s390x.rpm glibc-langpack-uk-2.28-164.el8.s390x.rpm glibc-langpack-unm-2.28-164.el8.s390x.rpm glibc-langpack-ur-2.28-164.el8.s390x.rpm glibc-langpack-uz-2.28-164.el8.s390x.rpm glibc-langpack-ve-2.28-164.el8.s390x.rpm glibc-langpack-vi-2.28-164.el8.s390x.rpm glibc-langpack-wa-2.28-164.el8.s390x.rpm glibc-langpack-wae-2.28-164.el8.s390x.rpm glibc-langpack-wal-2.28-164.el8.s390x.rpm glibc-langpack-wo-2.28-164.el8.s390x.rpm glibc-langpack-xh-2.28-164.el8.s390x.rpm glibc-langpack-yi-2.28-164.el8.s390x.rpm glibc-langpack-yo-2.28-164.el8.s390x.rpm glibc-langpack-yue-2.28-164.el8.s390x.rpm glibc-langpack-yuw-2.28-164.el8.s390x.rpm glibc-langpack-zh-2.28-164.el8.s390x.rpm glibc-langpack-zu-2.28-164.el8.s390x.rpm glibc-locale-source-2.28-164.el8.s390x.rpm glibc-minimal-langpack-2.28-164.el8.s390x.rpm libnsl-2.28-164.el8.s390x.rpm nscd-2.28-164.el8.s390x.rpm nss_db-2.28-164.el8.s390x.rpm
x86_64: glibc-2.28-164.el8.i686.rpm glibc-2.28-164.el8.x86_64.rpm glibc-all-langpacks-2.28-164.el8.x86_64.rpm glibc-common-2.28-164.el8.x86_64.rpm glibc-debuginfo-2.28-164.el8.i686.rpm glibc-debuginfo-2.28-164.el8.x86_64.rpm glibc-debuginfo-common-2.28-164.el8.i686.rpm glibc-debuginfo-common-2.28-164.el8.x86_64.rpm glibc-devel-2.28-164.el8.i686.rpm glibc-devel-2.28-164.el8.x86_64.rpm glibc-headers-2.28-164.el8.i686.rpm glibc-headers-2.28-164.el8.x86_64.rpm glibc-langpack-aa-2.28-164.el8.x86_64.rpm glibc-langpack-af-2.28-164.el8.x86_64.rpm glibc-langpack-agr-2.28-164.el8.x86_64.rpm glibc-langpack-ak-2.28-164.el8.x86_64.rpm glibc-langpack-am-2.28-164.el8.x86_64.rpm glibc-langpack-an-2.28-164.el8.x86_64.rpm glibc-langpack-anp-2.28-164.el8.x86_64.rpm glibc-langpack-ar-2.28-164.el8.x86_64.rpm glibc-langpack-as-2.28-164.el8.x86_64.rpm glibc-langpack-ast-2.28-164.el8.x86_64.rpm glibc-langpack-ayc-2.28-164.el8.x86_64.rpm glibc-langpack-az-2.28-164.el8.x86_64.rpm glibc-langpack-be-2.28-164.el8.x86_64.rpm glibc-langpack-bem-2.28-164.el8.x86_64.rpm glibc-langpack-ber-2.28-164.el8.x86_64.rpm glibc-langpack-bg-2.28-164.el8.x86_64.rpm glibc-langpack-bhb-2.28-164.el8.x86_64.rpm glibc-langpack-bho-2.28-164.el8.x86_64.rpm glibc-langpack-bi-2.28-164.el8.x86_64.rpm glibc-langpack-bn-2.28-164.el8.x86_64.rpm glibc-langpack-bo-2.28-164.el8.x86_64.rpm glibc-langpack-br-2.28-164.el8.x86_64.rpm glibc-langpack-brx-2.28-164.el8.x86_64.rpm glibc-langpack-bs-2.28-164.el8.x86_64.rpm glibc-langpack-byn-2.28-164.el8.x86_64.rpm glibc-langpack-ca-2.28-164.el8.x86_64.rpm glibc-langpack-ce-2.28-164.el8.x86_64.rpm glibc-langpack-chr-2.28-164.el8.x86_64.rpm glibc-langpack-cmn-2.28-164.el8.x86_64.rpm glibc-langpack-crh-2.28-164.el8.x86_64.rpm glibc-langpack-cs-2.28-164.el8.x86_64.rpm glibc-langpack-csb-2.28-164.el8.x86_64.rpm glibc-langpack-cv-2.28-164.el8.x86_64.rpm glibc-langpack-cy-2.28-164.el8.x86_64.rpm glibc-langpack-da-2.28-164.el8.x86_64.rpm glibc-langpack-de-2.28-164.el8.x86_64.rpm glibc-langpack-doi-2.28-164.el8.x86_64.rpm glibc-langpack-dsb-2.28-164.el8.x86_64.rpm glibc-langpack-dv-2.28-164.el8.x86_64.rpm glibc-langpack-dz-2.28-164.el8.x86_64.rpm glibc-langpack-el-2.28-164.el8.x86_64.rpm glibc-langpack-en-2.28-164.el8.x86_64.rpm glibc-langpack-eo-2.28-164.el8.x86_64.rpm glibc-langpack-es-2.28-164.el8.x86_64.rpm glibc-langpack-et-2.28-164.el8.x86_64.rpm glibc-langpack-eu-2.28-164.el8.x86_64.rpm glibc-langpack-fa-2.28-164.el8.x86_64.rpm glibc-langpack-ff-2.28-164.el8.x86_64.rpm glibc-langpack-fi-2.28-164.el8.x86_64.rpm glibc-langpack-fil-2.28-164.el8.x86_64.rpm glibc-langpack-fo-2.28-164.el8.x86_64.rpm glibc-langpack-fr-2.28-164.el8.x86_64.rpm glibc-langpack-fur-2.28-164.el8.x86_64.rpm glibc-langpack-fy-2.28-164.el8.x86_64.rpm glibc-langpack-ga-2.28-164.el8.x86_64.rpm glibc-langpack-gd-2.28-164.el8.x86_64.rpm glibc-langpack-gez-2.28-164.el8.x86_64.rpm glibc-langpack-gl-2.28-164.el8.x86_64.rpm glibc-langpack-gu-2.28-164.el8.x86_64.rpm glibc-langpack-gv-2.28-164.el8.x86_64.rpm glibc-langpack-ha-2.28-164.el8.x86_64.rpm glibc-langpack-hak-2.28-164.el8.x86_64.rpm glibc-langpack-he-2.28-164.el8.x86_64.rpm glibc-langpack-hi-2.28-164.el8.x86_64.rpm glibc-langpack-hif-2.28-164.el8.x86_64.rpm glibc-langpack-hne-2.28-164.el8.x86_64.rpm glibc-langpack-hr-2.28-164.el8.x86_64.rpm glibc-langpack-hsb-2.28-164.el8.x86_64.rpm glibc-langpack-ht-2.28-164.el8.x86_64.rpm glibc-langpack-hu-2.28-164.el8.x86_64.rpm glibc-langpack-hy-2.28-164.el8.x86_64.rpm glibc-langpack-ia-2.28-164.el8.x86_64.rpm glibc-langpack-id-2.28-164.el8.x86_64.rpm glibc-langpack-ig-2.28-164.el8.x86_64.rpm glibc-langpack-ik-2.28-164.el8.x86_64.rpm glibc-langpack-is-2.28-164.el8.x86_64.rpm glibc-langpack-it-2.28-164.el8.x86_64.rpm glibc-langpack-iu-2.28-164.el8.x86_64.rpm glibc-langpack-ja-2.28-164.el8.x86_64.rpm glibc-langpack-ka-2.28-164.el8.x86_64.rpm glibc-langpack-kab-2.28-164.el8.x86_64.rpm glibc-langpack-kk-2.28-164.el8.x86_64.rpm glibc-langpack-kl-2.28-164.el8.x86_64.rpm glibc-langpack-km-2.28-164.el8.x86_64.rpm glibc-langpack-kn-2.28-164.el8.x86_64.rpm glibc-langpack-ko-2.28-164.el8.x86_64.rpm glibc-langpack-kok-2.28-164.el8.x86_64.rpm glibc-langpack-ks-2.28-164.el8.x86_64.rpm glibc-langpack-ku-2.28-164.el8.x86_64.rpm glibc-langpack-kw-2.28-164.el8.x86_64.rpm glibc-langpack-ky-2.28-164.el8.x86_64.rpm glibc-langpack-lb-2.28-164.el8.x86_64.rpm glibc-langpack-lg-2.28-164.el8.x86_64.rpm glibc-langpack-li-2.28-164.el8.x86_64.rpm glibc-langpack-lij-2.28-164.el8.x86_64.rpm glibc-langpack-ln-2.28-164.el8.x86_64.rpm glibc-langpack-lo-2.28-164.el8.x86_64.rpm glibc-langpack-lt-2.28-164.el8.x86_64.rpm glibc-langpack-lv-2.28-164.el8.x86_64.rpm glibc-langpack-lzh-2.28-164.el8.x86_64.rpm glibc-langpack-mag-2.28-164.el8.x86_64.rpm glibc-langpack-mai-2.28-164.el8.x86_64.rpm glibc-langpack-mfe-2.28-164.el8.x86_64.rpm glibc-langpack-mg-2.28-164.el8.x86_64.rpm glibc-langpack-mhr-2.28-164.el8.x86_64.rpm glibc-langpack-mi-2.28-164.el8.x86_64.rpm glibc-langpack-miq-2.28-164.el8.x86_64.rpm glibc-langpack-mjw-2.28-164.el8.x86_64.rpm glibc-langpack-mk-2.28-164.el8.x86_64.rpm glibc-langpack-ml-2.28-164.el8.x86_64.rpm glibc-langpack-mn-2.28-164.el8.x86_64.rpm glibc-langpack-mni-2.28-164.el8.x86_64.rpm glibc-langpack-mr-2.28-164.el8.x86_64.rpm glibc-langpack-ms-2.28-164.el8.x86_64.rpm glibc-langpack-mt-2.28-164.el8.x86_64.rpm glibc-langpack-my-2.28-164.el8.x86_64.rpm glibc-langpack-nan-2.28-164.el8.x86_64.rpm glibc-langpack-nb-2.28-164.el8.x86_64.rpm glibc-langpack-nds-2.28-164.el8.x86_64.rpm glibc-langpack-ne-2.28-164.el8.x86_64.rpm glibc-langpack-nhn-2.28-164.el8.x86_64.rpm glibc-langpack-niu-2.28-164.el8.x86_64.rpm glibc-langpack-nl-2.28-164.el8.x86_64.rpm glibc-langpack-nn-2.28-164.el8.x86_64.rpm glibc-langpack-nr-2.28-164.el8.x86_64.rpm glibc-langpack-nso-2.28-164.el8.x86_64.rpm glibc-langpack-oc-2.28-164.el8.x86_64.rpm glibc-langpack-om-2.28-164.el8.x86_64.rpm glibc-langpack-or-2.28-164.el8.x86_64.rpm glibc-langpack-os-2.28-164.el8.x86_64.rpm glibc-langpack-pa-2.28-164.el8.x86_64.rpm glibc-langpack-pap-2.28-164.el8.x86_64.rpm glibc-langpack-pl-2.28-164.el8.x86_64.rpm glibc-langpack-ps-2.28-164.el8.x86_64.rpm glibc-langpack-pt-2.28-164.el8.x86_64.rpm glibc-langpack-quz-2.28-164.el8.x86_64.rpm glibc-langpack-raj-2.28-164.el8.x86_64.rpm glibc-langpack-ro-2.28-164.el8.x86_64.rpm glibc-langpack-ru-2.28-164.el8.x86_64.rpm glibc-langpack-rw-2.28-164.el8.x86_64.rpm glibc-langpack-sa-2.28-164.el8.x86_64.rpm glibc-langpack-sah-2.28-164.el8.x86_64.rpm glibc-langpack-sat-2.28-164.el8.x86_64.rpm glibc-langpack-sc-2.28-164.el8.x86_64.rpm glibc-langpack-sd-2.28-164.el8.x86_64.rpm glibc-langpack-se-2.28-164.el8.x86_64.rpm glibc-langpack-sgs-2.28-164.el8.x86_64.rpm glibc-langpack-shn-2.28-164.el8.x86_64.rpm glibc-langpack-shs-2.28-164.el8.x86_64.rpm glibc-langpack-si-2.28-164.el8.x86_64.rpm glibc-langpack-sid-2.28-164.el8.x86_64.rpm glibc-langpack-sk-2.28-164.el8.x86_64.rpm glibc-langpack-sl-2.28-164.el8.x86_64.rpm glibc-langpack-sm-2.28-164.el8.x86_64.rpm glibc-langpack-so-2.28-164.el8.x86_64.rpm glibc-langpack-sq-2.28-164.el8.x86_64.rpm glibc-langpack-sr-2.28-164.el8.x86_64.rpm glibc-langpack-ss-2.28-164.el8.x86_64.rpm glibc-langpack-st-2.28-164.el8.x86_64.rpm glibc-langpack-sv-2.28-164.el8.x86_64.rpm glibc-langpack-sw-2.28-164.el8.x86_64.rpm glibc-langpack-szl-2.28-164.el8.x86_64.rpm glibc-langpack-ta-2.28-164.el8.x86_64.rpm glibc-langpack-tcy-2.28-164.el8.x86_64.rpm glibc-langpack-te-2.28-164.el8.x86_64.rpm glibc-langpack-tg-2.28-164.el8.x86_64.rpm glibc-langpack-th-2.28-164.el8.x86_64.rpm glibc-langpack-the-2.28-164.el8.x86_64.rpm glibc-langpack-ti-2.28-164.el8.x86_64.rpm glibc-langpack-tig-2.28-164.el8.x86_64.rpm glibc-langpack-tk-2.28-164.el8.x86_64.rpm glibc-langpack-tl-2.28-164.el8.x86_64.rpm glibc-langpack-tn-2.28-164.el8.x86_64.rpm glibc-langpack-to-2.28-164.el8.x86_64.rpm glibc-langpack-tpi-2.28-164.el8.x86_64.rpm glibc-langpack-tr-2.28-164.el8.x86_64.rpm glibc-langpack-ts-2.28-164.el8.x86_64.rpm glibc-langpack-tt-2.28-164.el8.x86_64.rpm glibc-langpack-ug-2.28-164.el8.x86_64.rpm glibc-langpack-uk-2.28-164.el8.x86_64.rpm glibc-langpack-unm-2.28-164.el8.x86_64.rpm glibc-langpack-ur-2.28-164.el8.x86_64.rpm glibc-langpack-uz-2.28-164.el8.x86_64.rpm glibc-langpack-ve-2.28-164.el8.x86_64.rpm glibc-langpack-vi-2.28-164.el8.x86_64.rpm glibc-langpack-wa-2.28-164.el8.x86_64.rpm glibc-langpack-wae-2.28-164.el8.x86_64.rpm glibc-langpack-wal-2.28-164.el8.x86_64.rpm glibc-langpack-wo-2.28-164.el8.x86_64.rpm glibc-langpack-xh-2.28-164.el8.x86_64.rpm glibc-langpack-yi-2.28-164.el8.x86_64.rpm glibc-langpack-yo-2.28-164.el8.x86_64.rpm glibc-langpack-yue-2.28-164.el8.x86_64.rpm glibc-langpack-yuw-2.28-164.el8.x86_64.rpm glibc-langpack-zh-2.28-164.el8.x86_64.rpm glibc-langpack-zu-2.28-164.el8.x86_64.rpm glibc-locale-source-2.28-164.el8.x86_64.rpm glibc-minimal-langpack-2.28-164.el8.x86_64.rpm libnsl-2.28-164.el8.i686.rpm libnsl-2.28-164.el8.x86_64.rpm nscd-2.28-164.el8.x86_64.rpm nss_db-2.28-164.el8.i686.rpm nss_db-2.28-164.el8.x86_64.rpm
Red Hat Enterprise Linux CRB (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- Summary:
The Migration Toolkit for Containers (MTC) 1.6.3 is now available. Description:
The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/):
2019088 - "MigrationController" CR displays syntax error when unquiescing applications 2021666 - Route name longer than 63 characters causes direct volume migration to fail 2021668 - "MigrationController" CR ignores the "cluster_subdomain" value for direct volume migration routes 2022017 - CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC) 2024966 - Manifests not used by Operator Lifecycle Manager must be removed from the MTC 1.6 Operator image 2027196 - "migration-controller" pod goes into "CrashLoopBackoff" state if an invalid registry route is entered on the "Clusters" page of the web console 2027382 - "Copy oc describe/oc logs" window does not close automatically after timeout 2028841 - "rsync-client" container fails during direct volume migration with "Address family not supported by protocol" error 2031793 - "migration-controller" pod goes into "CrashLoopBackOff" state if "MigPlan" CR contains an invalid "includedResources" resource 2039852 - "migration-controller" pod goes into "CrashLoopBackOff" state if "MigPlan" CR contains an invalid "destMigClusterRef" or "srcMigClusterRef"
- Description:
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Bugs fixed (https://bugzilla.redhat.com/):
2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
- Bugs fixed (https://bugzilla.redhat.com/):
1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
- JIRA issues fixed (https://issues.jboss.org/):
LOG-1168 - Disable hostname verification in syslog TLS settings
LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd
LOG-1375 - ssl_ca_cert should be optional
LOG-1378 - CLO should support sasl_plaintext(Password over http)
LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate
LOG-1494 - Syslog output is serializing json incorrectly
LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server
LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing
LOG-1735 - Regression introducing flush_at_shutdown
LOG-1774 - The collector logs should be excluded in fluent.conf
LOG-1776 - fluentd total_limit_size sets value beyond available space
LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance
LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled
LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL
LOG-1903 - Fix the Display of ClusterLogging type in OLM
LOG-1911 - CLF API changes to Opt-in to multiline error detection
LOG-1918 - Alert FluentdNodeDown always firing
LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding
- Description:
Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provides a multicloud data management service with an S3 compatible API.
Bug Fix(es):
-
Previously, when the namespace store target was deleted, no alert was sent to the namespace bucket because of an issue in calculating the namespace bucket health. With this update, the issue in calculating the namespace bucket health is fixed and alerts are triggered as expected. (BZ#1993873)
-
Previously, the Multicloud Object Gateway (MCG) components performed slowly and there was a lot of pressure on the MCG components due to non-optimized database queries. With this update the non-optimized database queries are fixed which reduces the compute resources and time taken for queries. Bugs fixed (https://bugzilla.redhat.com/):
1993873 - [4.8.z clone] Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted 2006958 - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: ACS 3.67 security and enhancement update Advisory ID: RHSA-2021:4902-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2021:4902 Issue date: 2021-12-01 CVE Names: CVE-2018-20673 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2020-27304 CVE-2021-3200 CVE-2021-3445 CVE-2021-3580 CVE-2021-3749 CVE-2021-3800 CVE-2021-3801 CVE-2021-20231 CVE-2021-20232 CVE-2021-20266 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-23343 CVE-2021-23840 CVE-2021-23841 CVE-2021-27645 CVE-2021-28153 CVE-2021-29923 CVE-2021-32690 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-39293 =====================================================================
- Summary:
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes:
OpenShift Dedicated support
RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform.
-
Use OpenShift OAuth server as an identity provider If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS.
-
Enhancements for CI outputs Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds.
-
Runtime Class policy criteria Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria.
Security Fix(es):
-
civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304)
-
nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
-
nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)
-
golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923)
-
helm: information disclosure vulnerability (CVE-2021-32690)
-
golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)
-
nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fixes The release of RHACS 3.67 includes the following bug fixes:
-
Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed.
-
Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed.
System changes The release of RHACS 3.67 includes the following system changes:
- Scanner now identifies vulnerabilities in Ubuntu 21.10 images.
- The Port exposure method policy criteria now include route as an exposure method.
- The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation.
- The OpenShift Compliance Operator integration now supports using TailoredProfiles.
- The RHACS Jenkins plugin now provides additional security information.
- When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values.
- The default uid:gid pair for the Scanner image is now 65534:65534.
- RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes.
- If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies.
- In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode.
- You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check
-
You can now use a regular expression for the deployment name while specifying policy exclusions
-
Solution:
To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67.
- Bugs fixed (https://bugzilla.redhat.com/):
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2005445 - CVE-2021-3801 nodejs-prismjs: ReDoS vulnerability 2006044 - CVE-2021-39293 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) 2016640 - CVE-2020-27304 civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API
- JIRA issues fixed (https://issues.jboss.org/):
RHACS-65 - Release RHACS 3.67.0
- References:
https://access.redhat.com/security/cve/CVE-2018-20673 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-27304 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-3801 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-20266 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-23840 https://access.redhat.com/security/cve/CVE-2021-23841 https://access.redhat.com/security/cve/CVE-2021-27645 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-33574 https://access.redhat.com/security/cve/CVE-2021-35942 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-39293 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYafeGdzjgjWX9erEAQgZ8Q/9H5ov4ZfKZszdJu0WvRMetEt6DMU2RTZr Kjv4h4FnmsMDYYDocnkFvsRjcpdGxtoUShAqD6+FrTNXjPtA/v1tsQTJzhg4o50w tKa9T4aHfrYXjGvWgQXJJEGmGaYMYePUOv77x6pLfMB+FmgfOtb8kzOdNzAtqX3e lq8b2DrQuPSRiWkUgFM2hmS7OtUsqTIShqWu67HJdOY74qDN4DGp7GnG6inCrUjV x4/4X5Fb7JrAYiy57C5eZwYW61HmrG7YHk9SZTRYgRW0rfgLncVsny4lX1871Ch2 e8ttu0EJFM1EJyuCJwJd1Q+rhua6S1VSY+etLUuaYme5DtvozLXQTLUK31qAq/hK qnLYQjaSieea9j1dV6YNHjnvV0XGczyZYwzmys/CNVUxwvSHr1AJGmQ3zDeOt7Qz vguWmPzyiob3RtHjfUlUpPYeI6HVug801YK6FAoB9F2BW2uHVgbtKOwG5pl5urJt G4taizPtH8uJj5hem5nHnSE1sVGTiStb4+oj2LQonRkgLQ2h7tsX8Z8yWM/3TwUT PTBX9AIHwt8aCx7XxTeEIs0H9B1T9jYfy06o9H2547un9sBoT0Sm7fqKuJKic8N/ pJ2kXBiVJ9B4G+JjWe8rh1oC1yz5Q5/5HZ19VYBjHhYEhX4s9s2YsF1L1uMoT3NN T0pPNmsPGZY= =ux5P -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/):
1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
5
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "h700e",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"_id": null,
"model": "e-series santricity os controller",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.0"
},
{
"_id": null,
"model": "e-series santricity os controller",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.70.1"
},
{
"_id": null,
"model": "h500e",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h300e",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h300s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h410s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.32"
},
{
"_id": null,
"model": "h500s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "h700s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 1.0,
"vendor": "gnu",
"version": "2.33"
},
{
"_id": null,
"model": "solidfire baseboard management controller",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "33"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33574"
}
]
},
"credits": {
"_id": null,
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "165286"
},
{
"db": "PACKETSTORM",
"id": "164863"
},
{
"db": "PACKETSTORM",
"id": "165631"
},
{
"db": "PACKETSTORM",
"id": "166051"
},
{
"db": "PACKETSTORM",
"id": "164967"
},
{
"db": "PACKETSTORM",
"id": "165096"
},
{
"db": "PACKETSTORM",
"id": "165129"
},
{
"db": "PACKETSTORM",
"id": "165002"
},
{
"db": "PACKETSTORM",
"id": "165758"
}
],
"trust": 0.9
},
"cve": "CVE-2021-33574",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-33574",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-393646",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-33574",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33574",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-1666",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-393646",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2021-33574",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393646"
},
{
"db": "VULMON",
"id": "CVE-2021-33574"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
},
{
"db": "NVD",
"id": "CVE-2021-33574"
}
]
},
"description": {
"_id": null,
"data": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. The vulnerability stems from the library\u0027s mq_notify function having a use-after-free feature. Bugs fixed (https://bugzilla.redhat.com/):\n\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way\n2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value\n\n5. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the name\nservice cache daemon (nscd) used by multiple programs on the system. \nWithout these libraries, the Linux system cannot function correctly. \n\nSecurity Fix(es):\n\n* glibc: Arbitrary read in wordexp() (CVE-2021-35942)\n\n* glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c\n(CVE-2021-27645)\n\n* glibc: mq_notify does not handle separately allocated thread attributes\n(CVE-2021-33574)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.5 Release Notes linked from the References section. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the glibc library\nmust be restarted, or the system rebooted. Bugs fixed (https://bugzilla.redhat.com/):\n\n1871386 - glibc: Update syscall names for Linux 5.6, 5.7, and 5.8. \n1912670 - semctl SEM_STAT_ANY fails to pass the buffer specified by the caller to the kernel\n1927877 - CVE-2021-27645 glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c [rhel-8]\n1930302 - glibc: provide IPPROTO_MPTCP definition\n1932589 - CVE-2021-27645 glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c\n1935128 - glibc: Rebuild glibc after objcopy fix for bug 1928936 [rhel-8.5.0]\n1965408 - CVE-2021-33574 glibc: mq_notify does not handle separately allocated thread attributes\n1977975 - CVE-2021-35942 glibc: Arbitrary read in wordexp()\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nglibc-2.28-164.el8.src.rpm\n\naarch64:\nglibc-2.28-164.el8.aarch64.rpm\nglibc-all-langpacks-2.28-164.el8.aarch64.rpm\nglibc-common-2.28-164.el8.aarch64.rpm\nglibc-debuginfo-2.28-164.el8.aarch64.rpm\nglibc-devel-2.28-164.el8.aarch64.rpm\nglibc-headers-2.28-164.el8.aarch64.rpm\nglibc-langpack-aa-2.28-164.el8.aarch64.rpm\nglibc-langpack-af-2.28-164.el8.aarch64.rpm\nglibc-langpack-agr-2.28-164.el8.aarch64.rpm\nglibc-langpack-ak-2.28-164.el8.aarch64.rpm\nglibc-langpack-am-2.28-164.el8.aarch64.rpm\nglibc-langpack-an-2.28-164.el8.aarch64.rpm\nglibc-langpack-anp-2.28-164.el8.aarch64.rpm\nglibc-langpack-ar-2.28-164.el8.aarch64.rpm\nglibc-langpack-as-2.28-164.el8.aarch64.rpm\nglibc-langpack-ast-2.28-164.el8.aarch64.rpm\nglibc-langpack-ayc-2.28-164.el8.aarch64.rpm\nglibc-langpack-az-2.28-164.el8.aarch64.rpm\nglibc-langpack-be-2.28-164.el8.aarch64.rpm\nglibc-langpack-bem-2.28-164.el8.aarch64.rpm\nglibc-langpack-ber-2.28-164.el8.aarch64.rpm\nglibc-langpack-bg-2.28-164.el8.aarch64.rpm\nglibc-langpack-bhb-2.28-164.el8.aarch64.rpm\nglibc-langpack-bho-2.28-164.el8.aarch64.rpm\nglibc-langpack-bi-2.28-164.el8.aarch64.rpm\nglibc-langpack-bn-2.28-164.el8.aarch64.rpm\nglibc-langpack-bo-2.28-164.el8.aarch64.rpm\nglibc-langpack-br-2.28-164.el8.aarch64.rpm\nglibc-langpack-brx-2.28-164.el8.aarch64.rpm\nglibc-langpack-bs-2.28-164.el8.aarch64.rpm\nglibc-langpack-byn-2.28-164.el8.aarch64.rpm\nglibc-langpack-ca-2.28-164.el8.aarch64.rpm\nglibc-langpack-ce-2.28-164.el8.aarch64.rpm\nglibc-langpack-chr-2.28-164.el8.aarch64.rpm\nglibc-langpack-cmn-2.28-164.el8.aarch64.rpm\nglibc-langpack-crh-2.28-164.el8.aarch64.rpm\nglibc-langpack-cs-2.28-164.el8.aarch64.rpm\nglibc-langpack-csb-2.28-164.el8.aarch64.rpm\nglibc-langpack-cv-2.28-164.el8.aarch64.rpm\nglibc-langpack-cy-2.28-164.el8.aarch64.rpm\nglibc-langpack-da-2.28-164.el8.aarch64.rpm\nglibc-langpack-de-2.28-164.el8.aarch64.rpm\nglibc-langpack-doi-2.28-164.el8.aarch64.rpm\nglibc-langpack-dsb-2.28-164.el8.aarch64.rpm\nglibc-langpack-dv-2.28-164.el8.aarch64.rpm\nglibc-langpack-dz-2.28-164.el8.aarch64.rpm\nglibc-langpack-el-2.28-164.el8.aarch64.rpm\nglibc-langpack-en-2.28-164.el8.aarch64.rpm\nglibc-langpack-eo-2.28-164.el8.aarch64.rpm\nglibc-langpack-es-2.28-164.el8.aarch64.rpm\nglibc-langpack-et-2.28-164.el8.aarch64.rpm\nglibc-langpack-eu-2.28-164.el8.aarch64.rpm\nglibc-langpack-fa-2.28-164.el8.aarch64.rpm\nglibc-langpack-ff-2.28-164.el8.aarch64.rpm\nglibc-langpack-fi-2.28-164.el8.aarch64.rpm\nglibc-langpack-fil-2.28-164.el8.aarch64.rpm\nglibc-langpack-fo-2.28-164.el8.aarch64.rpm\nglibc-langpack-fr-2.28-164.el8.aarch64.rpm\nglibc-langpack-fur-2.28-164.el8.aarch64.rpm\nglibc-langpack-fy-2.28-164.el8.aarch64.rpm\nglibc-langpack-ga-2.28-164.el8.aarch64.rpm\nglibc-langpack-gd-2.28-164.el8.aarch64.rpm\nglibc-langpack-gez-2.28-164.el8.aarch64.rpm\nglibc-langpack-gl-2.28-164.el8.aarch64.rpm\nglibc-langpack-gu-2.28-164.el8.aarch64.rpm\nglibc-langpack-gv-2.28-164.el8.aarch64.rpm\nglibc-langpack-ha-2.28-164.el8.aarch64.rpm\nglibc-langpack-hak-2.28-164.el8.aarch64.rpm\nglibc-langpack-he-2.28-164.el8.aarch64.rpm\nglibc-langpack-hi-2.28-164.el8.aarch64.rpm\nglibc-langpack-hif-2.28-164.el8.aarch64.rpm\nglibc-langpack-hne-2.28-164.el8.aarch64.rpm\nglibc-langpack-hr-2.28-164.el8.aarch64.rpm\nglibc-langpack-hsb-2.28-164.el8.aarch64.rpm\nglibc-langpack-ht-2.28-164.el8.aarch64.rpm\nglibc-langpack-hu-2.28-164.el8.aarch64.rpm\nglibc-langpack-hy-2.28-164.el8.aarch64.rpm\nglibc-langpack-ia-2.28-164.el8.aarch64.rpm\nglibc-langpack-id-2.28-164.el8.aarch64.rpm\nglibc-langpack-ig-2.28-164.el8.aarch64.rpm\nglibc-langpack-ik-2.28-164.el8.aarch64.rpm\nglibc-langpack-is-2.28-164.el8.aarch64.rpm\nglibc-langpack-it-2.28-164.el8.aarch64.rpm\nglibc-langpack-iu-2.28-164.el8.aarch64.rpm\nglibc-langpack-ja-2.28-164.el8.aarch64.rpm\nglibc-langpack-ka-2.28-164.el8.aarch64.rpm\nglibc-langpack-kab-2.28-164.el8.aarch64.rpm\nglibc-langpack-kk-2.28-164.el8.aarch64.rpm\nglibc-langpack-kl-2.28-164.el8.aarch64.rpm\nglibc-langpack-km-2.28-164.el8.aarch64.rpm\nglibc-langpack-kn-2.28-164.el8.aarch64.rpm\nglibc-langpack-ko-2.28-164.el8.aarch64.rpm\nglibc-langpack-kok-2.28-164.el8.aarch64.rpm\nglibc-langpack-ks-2.28-164.el8.aarch64.rpm\nglibc-langpack-ku-2.28-164.el8.aarch64.rpm\nglibc-langpack-kw-2.28-164.el8.aarch64.rpm\nglibc-langpack-ky-2.28-164.el8.aarch64.rpm\nglibc-langpack-lb-2.28-164.el8.aarch64.rpm\nglibc-langpack-lg-2.28-164.el8.aarch64.rpm\nglibc-langpack-li-2.28-164.el8.aarch64.rpm\nglibc-langpack-lij-2.28-164.el8.aarch64.rpm\nglibc-langpack-ln-2.28-164.el8.aarch64.rpm\nglibc-langpack-lo-2.28-164.el8.aarch64.rpm\nglibc-langpack-lt-2.28-164.el8.aarch64.rpm\nglibc-langpack-lv-2.28-164.el8.aarch64.rpm\nglibc-langpack-lzh-2.28-164.el8.aarch64.rpm\nglibc-langpack-mag-2.28-164.el8.aarch64.rpm\nglibc-langpack-mai-2.28-164.el8.aarch64.rpm\nglibc-langpack-mfe-2.28-164.el8.aarch64.rpm\nglibc-langpack-mg-2.28-164.el8.aarch64.rpm\nglibc-langpack-mhr-2.28-164.el8.aarch64.rpm\nglibc-langpack-mi-2.28-164.el8.aarch64.rpm\nglibc-langpack-miq-2.28-164.el8.aarch64.rpm\nglibc-langpack-mjw-2.28-164.el8.aarch64.rpm\nglibc-langpack-mk-2.28-164.el8.aarch64.rpm\nglibc-langpack-ml-2.28-164.el8.aarch64.rpm\nglibc-langpack-mn-2.28-164.el8.aarch64.rpm\nglibc-langpack-mni-2.28-164.el8.aarch64.rpm\nglibc-langpack-mr-2.28-164.el8.aarch64.rpm\nglibc-langpack-ms-2.28-164.el8.aarch64.rpm\nglibc-langpack-mt-2.28-164.el8.aarch64.rpm\nglibc-langpack-my-2.28-164.el8.aarch64.rpm\nglibc-langpack-nan-2.28-164.el8.aarch64.rpm\nglibc-langpack-nb-2.28-164.el8.aarch64.rpm\nglibc-langpack-nds-2.28-164.el8.aarch64.rpm\nglibc-langpack-ne-2.28-164.el8.aarch64.rpm\nglibc-langpack-nhn-2.28-164.el8.aarch64.rpm\nglibc-langpack-niu-2.28-164.el8.aarch64.rpm\nglibc-langpack-nl-2.28-164.el8.aarch64.rpm\nglibc-langpack-nn-2.28-164.el8.aarch64.rpm\nglibc-langpack-nr-2.28-164.el8.aarch64.rpm\nglibc-langpack-nso-2.28-164.el8.aarch64.rpm\nglibc-langpack-oc-2.28-164.el8.aarch64.rpm\nglibc-langpack-om-2.28-164.el8.aarch64.rpm\nglibc-langpack-or-2.28-164.el8.aarch64.rpm\nglibc-langpack-os-2.28-164.el8.aarch64.rpm\nglibc-langpack-pa-2.28-164.el8.aarch64.rpm\nglibc-langpack-pap-2.28-164.el8.aarch64.rpm\nglibc-langpack-pl-2.28-164.el8.aarch64.rpm\nglibc-langpack-ps-2.28-164.el8.aarch64.rpm\nglibc-langpack-pt-2.28-164.el8.aarch64.rpm\nglibc-langpack-quz-2.28-164.el8.aarch64.rpm\nglibc-langpack-raj-2.28-164.el8.aarch64.rpm\nglibc-langpack-ro-2.28-164.el8.aarch64.rpm\nglibc-langpack-ru-2.28-164.el8.aarch64.rpm\nglibc-langpack-rw-2.28-164.el8.aarch64.rpm\nglibc-langpack-sa-2.28-164.el8.aarch64.rpm\nglibc-langpack-sah-2.28-164.el8.aarch64.rpm\nglibc-langpack-sat-2.28-164.el8.aarch64.rpm\nglibc-langpack-sc-2.28-164.el8.aarch64.rpm\nglibc-langpack-sd-2.28-164.el8.aarch64.rpm\nglibc-langpack-se-2.28-164.el8.aarch64.rpm\nglibc-langpack-sgs-2.28-164.el8.aarch64.rpm\nglibc-langpack-shn-2.28-164.el8.aarch64.rpm\nglibc-langpack-shs-2.28-164.el8.aarch64.rpm\nglibc-langpack-si-2.28-164.el8.aarch64.rpm\nglibc-langpack-sid-2.28-164.el8.aarch64.rpm\nglibc-langpack-sk-2.28-164.el8.aarch64.rpm\nglibc-langpack-sl-2.28-164.el8.aarch64.rpm\nglibc-langpack-sm-2.28-164.el8.aarch64.rpm\nglibc-langpack-so-2.28-164.el8.aarch64.rpm\nglibc-langpack-sq-2.28-164.el8.aarch64.rpm\nglibc-langpack-sr-2.28-164.el8.aarch64.rpm\nglibc-langpack-ss-2.28-164.el8.aarch64.rpm\nglibc-langpack-st-2.28-164.el8.aarch64.rpm\nglibc-langpack-sv-2.28-164.el8.aarch64.rpm\nglibc-langpack-sw-2.28-164.el8.aarch64.rpm\nglibc-langpack-szl-2.28-164.el8.aarch64.rpm\nglibc-langpack-ta-2.28-164.el8.aarch64.rpm\nglibc-langpack-tcy-2.28-164.el8.aarch64.rpm\nglibc-langpack-te-2.28-164.el8.aarch64.rpm\nglibc-langpack-tg-2.28-164.el8.aarch64.rpm\nglibc-langpack-th-2.28-164.el8.aarch64.rpm\nglibc-langpack-the-2.28-164.el8.aarch64.rpm\nglibc-langpack-ti-2.28-164.el8.aarch64.rpm\nglibc-langpack-tig-2.28-164.el8.aarch64.rpm\nglibc-langpack-tk-2.28-164.el8.aarch64.rpm\nglibc-langpack-tl-2.28-164.el8.aarch64.rpm\nglibc-langpack-tn-2.28-164.el8.aarch64.rpm\nglibc-langpack-to-2.28-164.el8.aarch64.rpm\nglibc-langpack-tpi-2.28-164.el8.aarch64.rpm\nglibc-langpack-tr-2.28-164.el8.aarch64.rpm\nglibc-langpack-ts-2.28-164.el8.aarch64.rpm\nglibc-langpack-tt-2.28-164.el8.aarch64.rpm\nglibc-langpack-ug-2.28-164.el8.aarch64.rpm\nglibc-langpack-uk-2.28-164.el8.aarch64.rpm\nglibc-langpack-unm-2.28-164.el8.aarch64.rpm\nglibc-langpack-ur-2.28-164.el8.aarch64.rpm\nglibc-langpack-uz-2.28-164.el8.aarch64.rpm\nglibc-langpack-ve-2.28-164.el8.aarch64.rpm\nglibc-langpack-vi-2.28-164.el8.aarch64.rpm\nglibc-langpack-wa-2.28-164.el8.aarch64.rpm\nglibc-langpack-wae-2.28-164.el8.aarch64.rpm\nglibc-langpack-wal-2.28-164.el8.aarch64.rpm\nglibc-langpack-wo-2.28-164.el8.aarch64.rpm\nglibc-langpack-xh-2.28-164.el8.aarch64.rpm\nglibc-langpack-yi-2.28-164.el8.aarch64.rpm\nglibc-langpack-yo-2.28-164.el8.aarch64.rpm\nglibc-langpack-yue-2.28-164.el8.aarch64.rpm\nglibc-langpack-yuw-2.28-164.el8.aarch64.rpm\nglibc-langpack-zh-2.28-164.el8.aarch64.rpm\nglibc-langpack-zu-2.28-164.el8.aarch64.rpm\nglibc-locale-source-2.28-164.el8.aarch64.rpm\nglibc-minimal-langpack-2.28-164.el8.aarch64.rpm\nlibnsl-2.28-164.el8.aarch64.rpm\nnscd-2.28-164.el8.aarch64.rpm\nnss_db-2.28-164.el8.aarch64.rpm\n\nppc64le:\nglibc-2.28-164.el8.ppc64le.rpm\nglibc-all-langpacks-2.28-164.el8.ppc64le.rpm\nglibc-common-2.28-164.el8.ppc64le.rpm\nglibc-debuginfo-2.28-164.el8.ppc64le.rpm\nglibc-debuginfo-common-2.28-164.el8.ppc64le.rpm\nglibc-devel-2.28-164.el8.ppc64le.rpm\nglibc-headers-2.28-164.el8.ppc64le.rpm\nglibc-langpack-aa-2.28-164.el8.ppc64le.rpm\nglibc-langpack-af-2.28-164.el8.ppc64le.rpm\nglibc-langpack-agr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ak-2.28-164.el8.ppc64le.rpm\nglibc-langpack-am-2.28-164.el8.ppc64le.rpm\nglibc-langpack-an-2.28-164.el8.ppc64le.rpm\nglibc-langpack-anp-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ar-2.28-164.el8.ppc64le.rpm\nglibc-langpack-as-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ast-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ayc-2.28-164.el8.ppc64le.rpm\nglibc-langpack-az-2.28-164.el8.ppc64le.rpm\nglibc-langpack-be-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bem-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ber-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bg-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bhb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bho-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-br-2.28-164.el8.ppc64le.rpm\nglibc-langpack-brx-2.28-164.el8.ppc64le.rpm\nglibc-langpack-bs-2.28-164.el8.ppc64le.rpm\nglibc-langpack-byn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ca-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ce-2.28-164.el8.ppc64le.rpm\nglibc-langpack-chr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-cmn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-crh-2.28-164.el8.ppc64le.rpm\nglibc-langpack-cs-2.28-164.el8.ppc64le.rpm\nglibc-langpack-csb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-cv-2.28-164.el8.ppc64le.rpm\nglibc-langpack-cy-2.28-164.el8.ppc64le.rpm\nglibc-langpack-da-2.28-164.el8.ppc64le.rpm\nglibc-langpack-de-2.28-164.el8.ppc64le.rpm\nglibc-langpack-doi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-dsb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-dv-2.28-164.el8.ppc64le.rpm\nglibc-langpack-dz-2.28-164.el8.ppc64le.rpm\nglibc-langpack-el-2.28-164.el8.ppc64le.rpm\nglibc-langpack-en-2.28-164.el8.ppc64le.rpm\nglibc-langpack-eo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-es-2.28-164.el8.ppc64le.rpm\nglibc-langpack-et-2.28-164.el8.ppc64le.rpm\nglibc-langpack-eu-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fa-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ff-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fil-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fur-2.28-164.el8.ppc64le.rpm\nglibc-langpack-fy-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ga-2.28-164.el8.ppc64le.rpm\nglibc-langpack-gd-2.28-164.el8.ppc64le.rpm\nglibc-langpack-gez-2.28-164.el8.ppc64le.rpm\nglibc-langpack-gl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-gu-2.28-164.el8.ppc64le.rpm\nglibc-langpack-gv-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ha-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hak-2.28-164.el8.ppc64le.rpm\nglibc-langpack-he-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hif-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hne-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hsb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ht-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hu-2.28-164.el8.ppc64le.rpm\nglibc-langpack-hy-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ia-2.28-164.el8.ppc64le.rpm\nglibc-langpack-id-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ig-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ik-2.28-164.el8.ppc64le.rpm\nglibc-langpack-is-2.28-164.el8.ppc64le.rpm\nglibc-langpack-it-2.28-164.el8.ppc64le.rpm\nglibc-langpack-iu-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ja-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ka-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kab-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kk-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-km-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ko-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kok-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ks-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ku-2.28-164.el8.ppc64le.rpm\nglibc-langpack-kw-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ky-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lg-2.28-164.el8.ppc64le.rpm\nglibc-langpack-li-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lij-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ln-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lt-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lv-2.28-164.el8.ppc64le.rpm\nglibc-langpack-lzh-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mag-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mai-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mfe-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mg-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mhr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-miq-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mjw-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mk-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ml-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mni-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ms-2.28-164.el8.ppc64le.rpm\nglibc-langpack-mt-2.28-164.el8.ppc64le.rpm\nglibc-langpack-my-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nan-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nb-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nds-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ne-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nhn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-niu-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-nso-2.28-164.el8.ppc64le.rpm\nglibc-langpack-oc-2.28-164.el8.ppc64le.rpm\nglibc-langpack-om-2.28-164.el8.ppc64le.rpm\nglibc-langpack-or-2.28-164.el8.ppc64le.rpm\nglibc-langpack-os-2.28-164.el8.ppc64le.rpm\nglibc-langpack-pa-2.28-164.el8.ppc64le.rpm\nglibc-langpack-pap-2.28-164.el8.ppc64le.rpm\nglibc-langpack-pl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ps-2.28-164.el8.ppc64le.rpm\nglibc-langpack-pt-2.28-164.el8.ppc64le.rpm\nglibc-langpack-quz-2.28-164.el8.ppc64le.rpm\nglibc-langpack-raj-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ro-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ru-2.28-164.el8.ppc64le.rpm\nglibc-langpack-rw-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sa-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sah-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sat-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sc-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sd-2.28-164.el8.ppc64le.rpm\nglibc-langpack-se-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sgs-2.28-164.el8.ppc64le.rpm\nglibc-langpack-shn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-shs-2.28-164.el8.ppc64le.rpm\nglibc-langpack-si-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sid-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sk-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sm-2.28-164.el8.ppc64le.rpm\nglibc-langpack-so-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sq-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ss-2.28-164.el8.ppc64le.rpm\nglibc-langpack-st-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sv-2.28-164.el8.ppc64le.rpm\nglibc-langpack-sw-2.28-164.el8.ppc64le.rpm\nglibc-langpack-szl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ta-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tcy-2.28-164.el8.ppc64le.rpm\nglibc-langpack-te-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tg-2.28-164.el8.ppc64le.rpm\nglibc-langpack-th-2.28-164.el8.ppc64le.rpm\nglibc-langpack-the-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ti-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tig-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tk-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tl-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tn-2.28-164.el8.ppc64le.rpm\nglibc-langpack-to-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tpi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tr-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ts-2.28-164.el8.ppc64le.rpm\nglibc-langpack-tt-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ug-2.28-164.el8.ppc64le.rpm\nglibc-langpack-uk-2.28-164.el8.ppc64le.rpm\nglibc-langpack-unm-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ur-2.28-164.el8.ppc64le.rpm\nglibc-langpack-uz-2.28-164.el8.ppc64le.rpm\nglibc-langpack-ve-2.28-164.el8.ppc64le.rpm\nglibc-langpack-vi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-wa-2.28-164.el8.ppc64le.rpm\nglibc-langpack-wae-2.28-164.el8.ppc64le.rpm\nglibc-langpack-wal-2.28-164.el8.ppc64le.rpm\nglibc-langpack-wo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-xh-2.28-164.el8.ppc64le.rpm\nglibc-langpack-yi-2.28-164.el8.ppc64le.rpm\nglibc-langpack-yo-2.28-164.el8.ppc64le.rpm\nglibc-langpack-yue-2.28-164.el8.ppc64le.rpm\nglibc-langpack-yuw-2.28-164.el8.ppc64le.rpm\nglibc-langpack-zh-2.28-164.el8.ppc64le.rpm\nglibc-langpack-zu-2.28-164.el8.ppc64le.rpm\nglibc-locale-source-2.28-164.el8.ppc64le.rpm\nglibc-minimal-langpack-2.28-164.el8.ppc64le.rpm\nlibnsl-2.28-164.el8.ppc64le.rpm\nnscd-2.28-164.el8.ppc64le.rpm\nnss_db-2.28-164.el8.ppc64le.rpm\n\ns390x:\nglibc-2.28-164.el8.s390x.rpm\nglibc-all-langpacks-2.28-164.el8.s390x.rpm\nglibc-common-2.28-164.el8.s390x.rpm\nglibc-debuginfo-2.28-164.el8.s390x.rpm\nglibc-debuginfo-common-2.28-164.el8.s390x.rpm\nglibc-devel-2.28-164.el8.s390x.rpm\nglibc-headers-2.28-164.el8.s390x.rpm\nglibc-langpack-aa-2.28-164.el8.s390x.rpm\nglibc-langpack-af-2.28-164.el8.s390x.rpm\nglibc-langpack-agr-2.28-164.el8.s390x.rpm\nglibc-langpack-ak-2.28-164.el8.s390x.rpm\nglibc-langpack-am-2.28-164.el8.s390x.rpm\nglibc-langpack-an-2.28-164.el8.s390x.rpm\nglibc-langpack-anp-2.28-164.el8.s390x.rpm\nglibc-langpack-ar-2.28-164.el8.s390x.rpm\nglibc-langpack-as-2.28-164.el8.s390x.rpm\nglibc-langpack-ast-2.28-164.el8.s390x.rpm\nglibc-langpack-ayc-2.28-164.el8.s390x.rpm\nglibc-langpack-az-2.28-164.el8.s390x.rpm\nglibc-langpack-be-2.28-164.el8.s390x.rpm\nglibc-langpack-bem-2.28-164.el8.s390x.rpm\nglibc-langpack-ber-2.28-164.el8.s390x.rpm\nglibc-langpack-bg-2.28-164.el8.s390x.rpm\nglibc-langpack-bhb-2.28-164.el8.s390x.rpm\nglibc-langpack-bho-2.28-164.el8.s390x.rpm\nglibc-langpack-bi-2.28-164.el8.s390x.rpm\nglibc-langpack-bn-2.28-164.el8.s390x.rpm\nglibc-langpack-bo-2.28-164.el8.s390x.rpm\nglibc-langpack-br-2.28-164.el8.s390x.rpm\nglibc-langpack-brx-2.28-164.el8.s390x.rpm\nglibc-langpack-bs-2.28-164.el8.s390x.rpm\nglibc-langpack-byn-2.28-164.el8.s390x.rpm\nglibc-langpack-ca-2.28-164.el8.s390x.rpm\nglibc-langpack-ce-2.28-164.el8.s390x.rpm\nglibc-langpack-chr-2.28-164.el8.s390x.rpm\nglibc-langpack-cmn-2.28-164.el8.s390x.rpm\nglibc-langpack-crh-2.28-164.el8.s390x.rpm\nglibc-langpack-cs-2.28-164.el8.s390x.rpm\nglibc-langpack-csb-2.28-164.el8.s390x.rpm\nglibc-langpack-cv-2.28-164.el8.s390x.rpm\nglibc-langpack-cy-2.28-164.el8.s390x.rpm\nglibc-langpack-da-2.28-164.el8.s390x.rpm\nglibc-langpack-de-2.28-164.el8.s390x.rpm\nglibc-langpack-doi-2.28-164.el8.s390x.rpm\nglibc-langpack-dsb-2.28-164.el8.s390x.rpm\nglibc-langpack-dv-2.28-164.el8.s390x.rpm\nglibc-langpack-dz-2.28-164.el8.s390x.rpm\nglibc-langpack-el-2.28-164.el8.s390x.rpm\nglibc-langpack-en-2.28-164.el8.s390x.rpm\nglibc-langpack-eo-2.28-164.el8.s390x.rpm\nglibc-langpack-es-2.28-164.el8.s390x.rpm\nglibc-langpack-et-2.28-164.el8.s390x.rpm\nglibc-langpack-eu-2.28-164.el8.s390x.rpm\nglibc-langpack-fa-2.28-164.el8.s390x.rpm\nglibc-langpack-ff-2.28-164.el8.s390x.rpm\nglibc-langpack-fi-2.28-164.el8.s390x.rpm\nglibc-langpack-fil-2.28-164.el8.s390x.rpm\nglibc-langpack-fo-2.28-164.el8.s390x.rpm\nglibc-langpack-fr-2.28-164.el8.s390x.rpm\nglibc-langpack-fur-2.28-164.el8.s390x.rpm\nglibc-langpack-fy-2.28-164.el8.s390x.rpm\nglibc-langpack-ga-2.28-164.el8.s390x.rpm\nglibc-langpack-gd-2.28-164.el8.s390x.rpm\nglibc-langpack-gez-2.28-164.el8.s390x.rpm\nglibc-langpack-gl-2.28-164.el8.s390x.rpm\nglibc-langpack-gu-2.28-164.el8.s390x.rpm\nglibc-langpack-gv-2.28-164.el8.s390x.rpm\nglibc-langpack-ha-2.28-164.el8.s390x.rpm\nglibc-langpack-hak-2.28-164.el8.s390x.rpm\nglibc-langpack-he-2.28-164.el8.s390x.rpm\nglibc-langpack-hi-2.28-164.el8.s390x.rpm\nglibc-langpack-hif-2.28-164.el8.s390x.rpm\nglibc-langpack-hne-2.28-164.el8.s390x.rpm\nglibc-langpack-hr-2.28-164.el8.s390x.rpm\nglibc-langpack-hsb-2.28-164.el8.s390x.rpm\nglibc-langpack-ht-2.28-164.el8.s390x.rpm\nglibc-langpack-hu-2.28-164.el8.s390x.rpm\nglibc-langpack-hy-2.28-164.el8.s390x.rpm\nglibc-langpack-ia-2.28-164.el8.s390x.rpm\nglibc-langpack-id-2.28-164.el8.s390x.rpm\nglibc-langpack-ig-2.28-164.el8.s390x.rpm\nglibc-langpack-ik-2.28-164.el8.s390x.rpm\nglibc-langpack-is-2.28-164.el8.s390x.rpm\nglibc-langpack-it-2.28-164.el8.s390x.rpm\nglibc-langpack-iu-2.28-164.el8.s390x.rpm\nglibc-langpack-ja-2.28-164.el8.s390x.rpm\nglibc-langpack-ka-2.28-164.el8.s390x.rpm\nglibc-langpack-kab-2.28-164.el8.s390x.rpm\nglibc-langpack-kk-2.28-164.el8.s390x.rpm\nglibc-langpack-kl-2.28-164.el8.s390x.rpm\nglibc-langpack-km-2.28-164.el8.s390x.rpm\nglibc-langpack-kn-2.28-164.el8.s390x.rpm\nglibc-langpack-ko-2.28-164.el8.s390x.rpm\nglibc-langpack-kok-2.28-164.el8.s390x.rpm\nglibc-langpack-ks-2.28-164.el8.s390x.rpm\nglibc-langpack-ku-2.28-164.el8.s390x.rpm\nglibc-langpack-kw-2.28-164.el8.s390x.rpm\nglibc-langpack-ky-2.28-164.el8.s390x.rpm\nglibc-langpack-lb-2.28-164.el8.s390x.rpm\nglibc-langpack-lg-2.28-164.el8.s390x.rpm\nglibc-langpack-li-2.28-164.el8.s390x.rpm\nglibc-langpack-lij-2.28-164.el8.s390x.rpm\nglibc-langpack-ln-2.28-164.el8.s390x.rpm\nglibc-langpack-lo-2.28-164.el8.s390x.rpm\nglibc-langpack-lt-2.28-164.el8.s390x.rpm\nglibc-langpack-lv-2.28-164.el8.s390x.rpm\nglibc-langpack-lzh-2.28-164.el8.s390x.rpm\nglibc-langpack-mag-2.28-164.el8.s390x.rpm\nglibc-langpack-mai-2.28-164.el8.s390x.rpm\nglibc-langpack-mfe-2.28-164.el8.s390x.rpm\nglibc-langpack-mg-2.28-164.el8.s390x.rpm\nglibc-langpack-mhr-2.28-164.el8.s390x.rpm\nglibc-langpack-mi-2.28-164.el8.s390x.rpm\nglibc-langpack-miq-2.28-164.el8.s390x.rpm\nglibc-langpack-mjw-2.28-164.el8.s390x.rpm\nglibc-langpack-mk-2.28-164.el8.s390x.rpm\nglibc-langpack-ml-2.28-164.el8.s390x.rpm\nglibc-langpack-mn-2.28-164.el8.s390x.rpm\nglibc-langpack-mni-2.28-164.el8.s390x.rpm\nglibc-langpack-mr-2.28-164.el8.s390x.rpm\nglibc-langpack-ms-2.28-164.el8.s390x.rpm\nglibc-langpack-mt-2.28-164.el8.s390x.rpm\nglibc-langpack-my-2.28-164.el8.s390x.rpm\nglibc-langpack-nan-2.28-164.el8.s390x.rpm\nglibc-langpack-nb-2.28-164.el8.s390x.rpm\nglibc-langpack-nds-2.28-164.el8.s390x.rpm\nglibc-langpack-ne-2.28-164.el8.s390x.rpm\nglibc-langpack-nhn-2.28-164.el8.s390x.rpm\nglibc-langpack-niu-2.28-164.el8.s390x.rpm\nglibc-langpack-nl-2.28-164.el8.s390x.rpm\nglibc-langpack-nn-2.28-164.el8.s390x.rpm\nglibc-langpack-nr-2.28-164.el8.s390x.rpm\nglibc-langpack-nso-2.28-164.el8.s390x.rpm\nglibc-langpack-oc-2.28-164.el8.s390x.rpm\nglibc-langpack-om-2.28-164.el8.s390x.rpm\nglibc-langpack-or-2.28-164.el8.s390x.rpm\nglibc-langpack-os-2.28-164.el8.s390x.rpm\nglibc-langpack-pa-2.28-164.el8.s390x.rpm\nglibc-langpack-pap-2.28-164.el8.s390x.rpm\nglibc-langpack-pl-2.28-164.el8.s390x.rpm\nglibc-langpack-ps-2.28-164.el8.s390x.rpm\nglibc-langpack-pt-2.28-164.el8.s390x.rpm\nglibc-langpack-quz-2.28-164.el8.s390x.rpm\nglibc-langpack-raj-2.28-164.el8.s390x.rpm\nglibc-langpack-ro-2.28-164.el8.s390x.rpm\nglibc-langpack-ru-2.28-164.el8.s390x.rpm\nglibc-langpack-rw-2.28-164.el8.s390x.rpm\nglibc-langpack-sa-2.28-164.el8.s390x.rpm\nglibc-langpack-sah-2.28-164.el8.s390x.rpm\nglibc-langpack-sat-2.28-164.el8.s390x.rpm\nglibc-langpack-sc-2.28-164.el8.s390x.rpm\nglibc-langpack-sd-2.28-164.el8.s390x.rpm\nglibc-langpack-se-2.28-164.el8.s390x.rpm\nglibc-langpack-sgs-2.28-164.el8.s390x.rpm\nglibc-langpack-shn-2.28-164.el8.s390x.rpm\nglibc-langpack-shs-2.28-164.el8.s390x.rpm\nglibc-langpack-si-2.28-164.el8.s390x.rpm\nglibc-langpack-sid-2.28-164.el8.s390x.rpm\nglibc-langpack-sk-2.28-164.el8.s390x.rpm\nglibc-langpack-sl-2.28-164.el8.s390x.rpm\nglibc-langpack-sm-2.28-164.el8.s390x.rpm\nglibc-langpack-so-2.28-164.el8.s390x.rpm\nglibc-langpack-sq-2.28-164.el8.s390x.rpm\nglibc-langpack-sr-2.28-164.el8.s390x.rpm\nglibc-langpack-ss-2.28-164.el8.s390x.rpm\nglibc-langpack-st-2.28-164.el8.s390x.rpm\nglibc-langpack-sv-2.28-164.el8.s390x.rpm\nglibc-langpack-sw-2.28-164.el8.s390x.rpm\nglibc-langpack-szl-2.28-164.el8.s390x.rpm\nglibc-langpack-ta-2.28-164.el8.s390x.rpm\nglibc-langpack-tcy-2.28-164.el8.s390x.rpm\nglibc-langpack-te-2.28-164.el8.s390x.rpm\nglibc-langpack-tg-2.28-164.el8.s390x.rpm\nglibc-langpack-th-2.28-164.el8.s390x.rpm\nglibc-langpack-the-2.28-164.el8.s390x.rpm\nglibc-langpack-ti-2.28-164.el8.s390x.rpm\nglibc-langpack-tig-2.28-164.el8.s390x.rpm\nglibc-langpack-tk-2.28-164.el8.s390x.rpm\nglibc-langpack-tl-2.28-164.el8.s390x.rpm\nglibc-langpack-tn-2.28-164.el8.s390x.rpm\nglibc-langpack-to-2.28-164.el8.s390x.rpm\nglibc-langpack-tpi-2.28-164.el8.s390x.rpm\nglibc-langpack-tr-2.28-164.el8.s390x.rpm\nglibc-langpack-ts-2.28-164.el8.s390x.rpm\nglibc-langpack-tt-2.28-164.el8.s390x.rpm\nglibc-langpack-ug-2.28-164.el8.s390x.rpm\nglibc-langpack-uk-2.28-164.el8.s390x.rpm\nglibc-langpack-unm-2.28-164.el8.s390x.rpm\nglibc-langpack-ur-2.28-164.el8.s390x.rpm\nglibc-langpack-uz-2.28-164.el8.s390x.rpm\nglibc-langpack-ve-2.28-164.el8.s390x.rpm\nglibc-langpack-vi-2.28-164.el8.s390x.rpm\nglibc-langpack-wa-2.28-164.el8.s390x.rpm\nglibc-langpack-wae-2.28-164.el8.s390x.rpm\nglibc-langpack-wal-2.28-164.el8.s390x.rpm\nglibc-langpack-wo-2.28-164.el8.s390x.rpm\nglibc-langpack-xh-2.28-164.el8.s390x.rpm\nglibc-langpack-yi-2.28-164.el8.s390x.rpm\nglibc-langpack-yo-2.28-164.el8.s390x.rpm\nglibc-langpack-yue-2.28-164.el8.s390x.rpm\nglibc-langpack-yuw-2.28-164.el8.s390x.rpm\nglibc-langpack-zh-2.28-164.el8.s390x.rpm\nglibc-langpack-zu-2.28-164.el8.s390x.rpm\nglibc-locale-source-2.28-164.el8.s390x.rpm\nglibc-minimal-langpack-2.28-164.el8.s390x.rpm\nlibnsl-2.28-164.el8.s390x.rpm\nnscd-2.28-164.el8.s390x.rpm\nnss_db-2.28-164.el8.s390x.rpm\n\nx86_64:\nglibc-2.28-164.el8.i686.rpm\nglibc-2.28-164.el8.x86_64.rpm\nglibc-all-langpacks-2.28-164.el8.x86_64.rpm\nglibc-common-2.28-164.el8.x86_64.rpm\nglibc-debuginfo-2.28-164.el8.i686.rpm\nglibc-debuginfo-2.28-164.el8.x86_64.rpm\nglibc-debuginfo-common-2.28-164.el8.i686.rpm\nglibc-debuginfo-common-2.28-164.el8.x86_64.rpm\nglibc-devel-2.28-164.el8.i686.rpm\nglibc-devel-2.28-164.el8.x86_64.rpm\nglibc-headers-2.28-164.el8.i686.rpm\nglibc-headers-2.28-164.el8.x86_64.rpm\nglibc-langpack-aa-2.28-164.el8.x86_64.rpm\nglibc-langpack-af-2.28-164.el8.x86_64.rpm\nglibc-langpack-agr-2.28-164.el8.x86_64.rpm\nglibc-langpack-ak-2.28-164.el8.x86_64.rpm\nglibc-langpack-am-2.28-164.el8.x86_64.rpm\nglibc-langpack-an-2.28-164.el8.x86_64.rpm\nglibc-langpack-anp-2.28-164.el8.x86_64.rpm\nglibc-langpack-ar-2.28-164.el8.x86_64.rpm\nglibc-langpack-as-2.28-164.el8.x86_64.rpm\nglibc-langpack-ast-2.28-164.el8.x86_64.rpm\nglibc-langpack-ayc-2.28-164.el8.x86_64.rpm\nglibc-langpack-az-2.28-164.el8.x86_64.rpm\nglibc-langpack-be-2.28-164.el8.x86_64.rpm\nglibc-langpack-bem-2.28-164.el8.x86_64.rpm\nglibc-langpack-ber-2.28-164.el8.x86_64.rpm\nglibc-langpack-bg-2.28-164.el8.x86_64.rpm\nglibc-langpack-bhb-2.28-164.el8.x86_64.rpm\nglibc-langpack-bho-2.28-164.el8.x86_64.rpm\nglibc-langpack-bi-2.28-164.el8.x86_64.rpm\nglibc-langpack-bn-2.28-164.el8.x86_64.rpm\nglibc-langpack-bo-2.28-164.el8.x86_64.rpm\nglibc-langpack-br-2.28-164.el8.x86_64.rpm\nglibc-langpack-brx-2.28-164.el8.x86_64.rpm\nglibc-langpack-bs-2.28-164.el8.x86_64.rpm\nglibc-langpack-byn-2.28-164.el8.x86_64.rpm\nglibc-langpack-ca-2.28-164.el8.x86_64.rpm\nglibc-langpack-ce-2.28-164.el8.x86_64.rpm\nglibc-langpack-chr-2.28-164.el8.x86_64.rpm\nglibc-langpack-cmn-2.28-164.el8.x86_64.rpm\nglibc-langpack-crh-2.28-164.el8.x86_64.rpm\nglibc-langpack-cs-2.28-164.el8.x86_64.rpm\nglibc-langpack-csb-2.28-164.el8.x86_64.rpm\nglibc-langpack-cv-2.28-164.el8.x86_64.rpm\nglibc-langpack-cy-2.28-164.el8.x86_64.rpm\nglibc-langpack-da-2.28-164.el8.x86_64.rpm\nglibc-langpack-de-2.28-164.el8.x86_64.rpm\nglibc-langpack-doi-2.28-164.el8.x86_64.rpm\nglibc-langpack-dsb-2.28-164.el8.x86_64.rpm\nglibc-langpack-dv-2.28-164.el8.x86_64.rpm\nglibc-langpack-dz-2.28-164.el8.x86_64.rpm\nglibc-langpack-el-2.28-164.el8.x86_64.rpm\nglibc-langpack-en-2.28-164.el8.x86_64.rpm\nglibc-langpack-eo-2.28-164.el8.x86_64.rpm\nglibc-langpack-es-2.28-164.el8.x86_64.rpm\nglibc-langpack-et-2.28-164.el8.x86_64.rpm\nglibc-langpack-eu-2.28-164.el8.x86_64.rpm\nglibc-langpack-fa-2.28-164.el8.x86_64.rpm\nglibc-langpack-ff-2.28-164.el8.x86_64.rpm\nglibc-langpack-fi-2.28-164.el8.x86_64.rpm\nglibc-langpack-fil-2.28-164.el8.x86_64.rpm\nglibc-langpack-fo-2.28-164.el8.x86_64.rpm\nglibc-langpack-fr-2.28-164.el8.x86_64.rpm\nglibc-langpack-fur-2.28-164.el8.x86_64.rpm\nglibc-langpack-fy-2.28-164.el8.x86_64.rpm\nglibc-langpack-ga-2.28-164.el8.x86_64.rpm\nglibc-langpack-gd-2.28-164.el8.x86_64.rpm\nglibc-langpack-gez-2.28-164.el8.x86_64.rpm\nglibc-langpack-gl-2.28-164.el8.x86_64.rpm\nglibc-langpack-gu-2.28-164.el8.x86_64.rpm\nglibc-langpack-gv-2.28-164.el8.x86_64.rpm\nglibc-langpack-ha-2.28-164.el8.x86_64.rpm\nglibc-langpack-hak-2.28-164.el8.x86_64.rpm\nglibc-langpack-he-2.28-164.el8.x86_64.rpm\nglibc-langpack-hi-2.28-164.el8.x86_64.rpm\nglibc-langpack-hif-2.28-164.el8.x86_64.rpm\nglibc-langpack-hne-2.28-164.el8.x86_64.rpm\nglibc-langpack-hr-2.28-164.el8.x86_64.rpm\nglibc-langpack-hsb-2.28-164.el8.x86_64.rpm\nglibc-langpack-ht-2.28-164.el8.x86_64.rpm\nglibc-langpack-hu-2.28-164.el8.x86_64.rpm\nglibc-langpack-hy-2.28-164.el8.x86_64.rpm\nglibc-langpack-ia-2.28-164.el8.x86_64.rpm\nglibc-langpack-id-2.28-164.el8.x86_64.rpm\nglibc-langpack-ig-2.28-164.el8.x86_64.rpm\nglibc-langpack-ik-2.28-164.el8.x86_64.rpm\nglibc-langpack-is-2.28-164.el8.x86_64.rpm\nglibc-langpack-it-2.28-164.el8.x86_64.rpm\nglibc-langpack-iu-2.28-164.el8.x86_64.rpm\nglibc-langpack-ja-2.28-164.el8.x86_64.rpm\nglibc-langpack-ka-2.28-164.el8.x86_64.rpm\nglibc-langpack-kab-2.28-164.el8.x86_64.rpm\nglibc-langpack-kk-2.28-164.el8.x86_64.rpm\nglibc-langpack-kl-2.28-164.el8.x86_64.rpm\nglibc-langpack-km-2.28-164.el8.x86_64.rpm\nglibc-langpack-kn-2.28-164.el8.x86_64.rpm\nglibc-langpack-ko-2.28-164.el8.x86_64.rpm\nglibc-langpack-kok-2.28-164.el8.x86_64.rpm\nglibc-langpack-ks-2.28-164.el8.x86_64.rpm\nglibc-langpack-ku-2.28-164.el8.x86_64.rpm\nglibc-langpack-kw-2.28-164.el8.x86_64.rpm\nglibc-langpack-ky-2.28-164.el8.x86_64.rpm\nglibc-langpack-lb-2.28-164.el8.x86_64.rpm\nglibc-langpack-lg-2.28-164.el8.x86_64.rpm\nglibc-langpack-li-2.28-164.el8.x86_64.rpm\nglibc-langpack-lij-2.28-164.el8.x86_64.rpm\nglibc-langpack-ln-2.28-164.el8.x86_64.rpm\nglibc-langpack-lo-2.28-164.el8.x86_64.rpm\nglibc-langpack-lt-2.28-164.el8.x86_64.rpm\nglibc-langpack-lv-2.28-164.el8.x86_64.rpm\nglibc-langpack-lzh-2.28-164.el8.x86_64.rpm\nglibc-langpack-mag-2.28-164.el8.x86_64.rpm\nglibc-langpack-mai-2.28-164.el8.x86_64.rpm\nglibc-langpack-mfe-2.28-164.el8.x86_64.rpm\nglibc-langpack-mg-2.28-164.el8.x86_64.rpm\nglibc-langpack-mhr-2.28-164.el8.x86_64.rpm\nglibc-langpack-mi-2.28-164.el8.x86_64.rpm\nglibc-langpack-miq-2.28-164.el8.x86_64.rpm\nglibc-langpack-mjw-2.28-164.el8.x86_64.rpm\nglibc-langpack-mk-2.28-164.el8.x86_64.rpm\nglibc-langpack-ml-2.28-164.el8.x86_64.rpm\nglibc-langpack-mn-2.28-164.el8.x86_64.rpm\nglibc-langpack-mni-2.28-164.el8.x86_64.rpm\nglibc-langpack-mr-2.28-164.el8.x86_64.rpm\nglibc-langpack-ms-2.28-164.el8.x86_64.rpm\nglibc-langpack-mt-2.28-164.el8.x86_64.rpm\nglibc-langpack-my-2.28-164.el8.x86_64.rpm\nglibc-langpack-nan-2.28-164.el8.x86_64.rpm\nglibc-langpack-nb-2.28-164.el8.x86_64.rpm\nglibc-langpack-nds-2.28-164.el8.x86_64.rpm\nglibc-langpack-ne-2.28-164.el8.x86_64.rpm\nglibc-langpack-nhn-2.28-164.el8.x86_64.rpm\nglibc-langpack-niu-2.28-164.el8.x86_64.rpm\nglibc-langpack-nl-2.28-164.el8.x86_64.rpm\nglibc-langpack-nn-2.28-164.el8.x86_64.rpm\nglibc-langpack-nr-2.28-164.el8.x86_64.rpm\nglibc-langpack-nso-2.28-164.el8.x86_64.rpm\nglibc-langpack-oc-2.28-164.el8.x86_64.rpm\nglibc-langpack-om-2.28-164.el8.x86_64.rpm\nglibc-langpack-or-2.28-164.el8.x86_64.rpm\nglibc-langpack-os-2.28-164.el8.x86_64.rpm\nglibc-langpack-pa-2.28-164.el8.x86_64.rpm\nglibc-langpack-pap-2.28-164.el8.x86_64.rpm\nglibc-langpack-pl-2.28-164.el8.x86_64.rpm\nglibc-langpack-ps-2.28-164.el8.x86_64.rpm\nglibc-langpack-pt-2.28-164.el8.x86_64.rpm\nglibc-langpack-quz-2.28-164.el8.x86_64.rpm\nglibc-langpack-raj-2.28-164.el8.x86_64.rpm\nglibc-langpack-ro-2.28-164.el8.x86_64.rpm\nglibc-langpack-ru-2.28-164.el8.x86_64.rpm\nglibc-langpack-rw-2.28-164.el8.x86_64.rpm\nglibc-langpack-sa-2.28-164.el8.x86_64.rpm\nglibc-langpack-sah-2.28-164.el8.x86_64.rpm\nglibc-langpack-sat-2.28-164.el8.x86_64.rpm\nglibc-langpack-sc-2.28-164.el8.x86_64.rpm\nglibc-langpack-sd-2.28-164.el8.x86_64.rpm\nglibc-langpack-se-2.28-164.el8.x86_64.rpm\nglibc-langpack-sgs-2.28-164.el8.x86_64.rpm\nglibc-langpack-shn-2.28-164.el8.x86_64.rpm\nglibc-langpack-shs-2.28-164.el8.x86_64.rpm\nglibc-langpack-si-2.28-164.el8.x86_64.rpm\nglibc-langpack-sid-2.28-164.el8.x86_64.rpm\nglibc-langpack-sk-2.28-164.el8.x86_64.rpm\nglibc-langpack-sl-2.28-164.el8.x86_64.rpm\nglibc-langpack-sm-2.28-164.el8.x86_64.rpm\nglibc-langpack-so-2.28-164.el8.x86_64.rpm\nglibc-langpack-sq-2.28-164.el8.x86_64.rpm\nglibc-langpack-sr-2.28-164.el8.x86_64.rpm\nglibc-langpack-ss-2.28-164.el8.x86_64.rpm\nglibc-langpack-st-2.28-164.el8.x86_64.rpm\nglibc-langpack-sv-2.28-164.el8.x86_64.rpm\nglibc-langpack-sw-2.28-164.el8.x86_64.rpm\nglibc-langpack-szl-2.28-164.el8.x86_64.rpm\nglibc-langpack-ta-2.28-164.el8.x86_64.rpm\nglibc-langpack-tcy-2.28-164.el8.x86_64.rpm\nglibc-langpack-te-2.28-164.el8.x86_64.rpm\nglibc-langpack-tg-2.28-164.el8.x86_64.rpm\nglibc-langpack-th-2.28-164.el8.x86_64.rpm\nglibc-langpack-the-2.28-164.el8.x86_64.rpm\nglibc-langpack-ti-2.28-164.el8.x86_64.rpm\nglibc-langpack-tig-2.28-164.el8.x86_64.rpm\nglibc-langpack-tk-2.28-164.el8.x86_64.rpm\nglibc-langpack-tl-2.28-164.el8.x86_64.rpm\nglibc-langpack-tn-2.28-164.el8.x86_64.rpm\nglibc-langpack-to-2.28-164.el8.x86_64.rpm\nglibc-langpack-tpi-2.28-164.el8.x86_64.rpm\nglibc-langpack-tr-2.28-164.el8.x86_64.rpm\nglibc-langpack-ts-2.28-164.el8.x86_64.rpm\nglibc-langpack-tt-2.28-164.el8.x86_64.rpm\nglibc-langpack-ug-2.28-164.el8.x86_64.rpm\nglibc-langpack-uk-2.28-164.el8.x86_64.rpm\nglibc-langpack-unm-2.28-164.el8.x86_64.rpm\nglibc-langpack-ur-2.28-164.el8.x86_64.rpm\nglibc-langpack-uz-2.28-164.el8.x86_64.rpm\nglibc-langpack-ve-2.28-164.el8.x86_64.rpm\nglibc-langpack-vi-2.28-164.el8.x86_64.rpm\nglibc-langpack-wa-2.28-164.el8.x86_64.rpm\nglibc-langpack-wae-2.28-164.el8.x86_64.rpm\nglibc-langpack-wal-2.28-164.el8.x86_64.rpm\nglibc-langpack-wo-2.28-164.el8.x86_64.rpm\nglibc-langpack-xh-2.28-164.el8.x86_64.rpm\nglibc-langpack-yi-2.28-164.el8.x86_64.rpm\nglibc-langpack-yo-2.28-164.el8.x86_64.rpm\nglibc-langpack-yue-2.28-164.el8.x86_64.rpm\nglibc-langpack-yuw-2.28-164.el8.x86_64.rpm\nglibc-langpack-zh-2.28-164.el8.x86_64.rpm\nglibc-langpack-zu-2.28-164.el8.x86_64.rpm\nglibc-locale-source-2.28-164.el8.x86_64.rpm\nglibc-minimal-langpack-2.28-164.el8.x86_64.rpm\nlibnsl-2.28-164.el8.i686.rpm\nlibnsl-2.28-164.el8.x86_64.rpm\nnscd-2.28-164.el8.x86_64.rpm\nnss_db-2.28-164.el8.i686.rpm\nnss_db-2.28-164.el8.x86_64.rpm\n\nRed Hat Enterprise Linux CRB (v. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. Summary:\n\nThe Migration Toolkit for Containers (MTC) 1.6.3 is now available. Description:\n\nThe Migration Toolkit for Containers (MTC) enables you to migrate\nKubernetes resources, persistent volume data, and internal container images\nbetween OpenShift Container Platform clusters, using the MTC web console or\nthe Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/):\n\n2019088 - \"MigrationController\" CR displays syntax error when unquiescing applications\n2021666 - Route name longer than 63 characters causes direct volume migration to fail\n2021668 - \"MigrationController\" CR ignores the \"cluster_subdomain\" value for direct volume migration routes\n2022017 - CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC)\n2024966 - Manifests not used by Operator Lifecycle Manager must be removed from the MTC 1.6 Operator image\n2027196 - \"migration-controller\" pod goes into \"CrashLoopBackoff\" state if an invalid registry route is entered on the \"Clusters\" page of the web console\n2027382 - \"Copy oc describe/oc logs\" window does not close automatically after timeout\n2028841 - \"rsync-client\" container fails during direct volume migration with \"Address family not supported by protocol\" error\n2031793 - \"migration-controller\" pod goes into \"CrashLoopBackOff\" state if \"MigPlan\" CR contains an invalid \"includedResources\" resource\n2039852 - \"migration-controller\" pod goes into \"CrashLoopBackOff\" state if \"MigPlan\" CR contains an invalid \"destMigClusterRef\" or \"srcMigClusterRef\"\n\n5. Description:\n\nRed Hat Openshift GitOps is a declarative way to implement continuous\ndeployment for cloud native applications. Bugs fixed (https://bugzilla.redhat.com/):\n\n2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-1168 - Disable hostname verification in syslog TLS settings\nLOG-1235 - Using HTTPS without a secret does not translate into the correct \u0027scheme\u0027 value in Fluentd\nLOG-1375 - ssl_ca_cert should be optional\nLOG-1378 - CLO should support sasl_plaintext(Password over http)\nLOG-1392 - In fluentd config, flush_interval can\u0027t be set with flush_mode=immediate\nLOG-1494 - Syslog output is serializing json incorrectly\nLOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server\nLOG-1575 - Rejected by Elasticsearch and unexpected json-parsing\nLOG-1735 - Regression introducing flush_at_shutdown \nLOG-1774 - The collector logs should be excluded in fluent.conf\nLOG-1776 - fluentd total_limit_size sets value beyond available space\nLOG-1822 - OpenShift Alerting Rules Style-Guide Compliance\nLOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled\nLOG-1862 - Unsupported kafka parameters when enabled Kafka SASL\nLOG-1903 - Fix the Display of ClusterLogging type in OLM\nLOG-1911 - CLF API changes to Opt-in to multiline error detection\nLOG-1918 - Alert `FluentdNodeDown` always firing \nLOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding\n\n6. Description:\n\nRed Hat OpenShift Container Storage is software-defined storage integrated\nwith and optimized for the Red Hat OpenShift Container Platform. \nRed Hat OpenShift Container Storage is highly scalable, production-grade\npersistent storage for stateful applications running in the Red Hat\nOpenShift Container Platform. In addition to persistent storage, Red Hat\nOpenShift Container Storage provides a multicloud data management service\nwith an S3 compatible API. \n\nBug Fix(es):\n\n* Previously, when the namespace store target was deleted, no alert was\nsent to the namespace bucket because of an issue in calculating the\nnamespace bucket health. With this update, the issue in calculating the\nnamespace bucket health is fixed and alerts are triggered as expected. \n(BZ#1993873)\n\n* Previously, the Multicloud Object Gateway (MCG) components performed\nslowly and there was a lot of pressure on the MCG components due to\nnon-optimized database queries. With this update the non-optimized\ndatabase queries are fixed which reduces the compute resources and time\ntaken for queries. Bugs fixed (https://bugzilla.redhat.com/):\n\n1993873 - [4.8.z clone] Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore\u0027s target bucket is deleted\n2006958 - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: ACS 3.67 security and enhancement update\nAdvisory ID: RHSA-2021:4902-01\nProduct: RHACS\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:4902\nIssue date: 2021-12-01\nCVE Names: CVE-2018-20673 CVE-2019-5827 CVE-2019-13750 \n CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 \n CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 \n CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 \n CVE-2020-16135 CVE-2020-24370 CVE-2020-27304 \n CVE-2021-3200 CVE-2021-3445 CVE-2021-3580 \n CVE-2021-3749 CVE-2021-3800 CVE-2021-3801 \n CVE-2021-20231 CVE-2021-20232 CVE-2021-20266 \n CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 \n CVE-2021-23343 CVE-2021-23840 CVE-2021-23841 \n CVE-2021-27645 CVE-2021-28153 CVE-2021-29923 \n CVE-2021-32690 CVE-2021-33560 CVE-2021-33574 \n CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 \n CVE-2021-36086 CVE-2021-36087 CVE-2021-39293 \n=====================================================================\n\n1. Summary:\n\nUpdated images are now available for Red Hat Advanced Cluster Security for\nKubernetes (RHACS). \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nThe release of RHACS 3.67 provides the following new features, bug fixes,\nsecurity patches and system changes:\n\nOpenShift Dedicated support\n\nRHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on\nAmazon Web Services and Google Cloud Platform. \n\n1. Use OpenShift OAuth server as an identity provider\nIf you are using RHACS with OpenShift, you can now configure the built-in\nOpenShift OAuth server as an identity provider for RHACS. \n\n2. Enhancements for CI outputs\nRed Hat has improved the usability of RHACS CI integrations. CI outputs now\nshow additional detailed information about the vulnerabilities and the\nsecurity policies responsible for broken builds. \n\n3. Runtime Class policy criteria\nUsers can now use RHACS to define the container runtime configuration that\nmay be used to run a pod\u2019s containers using the Runtime Class policy\ncriteria. \n\nSecurity Fix(es):\n\n* civetweb: directory traversal when using the built-in example HTTP\nform-based file upload mechanism via the mg_handle_form_request API\n(CVE-2020-27304)\n\n* nodejs-axios: Regular expression denial of service in trim function\n(CVE-2021-3749)\n\n* nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801)\n\n* golang: net: incorrect parsing of extraneous zero characters at the\nbeginning of an IP address octet (CVE-2021-29923)\n\n* helm: information disclosure vulnerability (CVE-2021-32690)\n\n* golang: archive/zip: malformed archive may cause panic or memory\nexhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)\n\n* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe\n(CVE-2021-23343)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nBug Fixes\nThe release of RHACS 3.67 includes the following bug fixes:\n\n1. Previously, when using RHACS with the Compliance Operator integration,\nRHACS did not respect or populate Compliance Operator TailoredProfiles. \nThis has been fixed. \n\n2. Previously, the Alpine Linux package manager (APK) in Image policy\nlooked for the presence of apk package in the image rather than the\napk-tools package. This issue has been fixed. \n\nSystem changes\nThe release of RHACS 3.67 includes the following system changes:\n\n1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images. \n2. The Port exposure method policy criteria now include route as an\nexposure method. \n3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the\nOpenShift Compliance Operator to check for the existence of the Kubeadmin\nsecret without creating a violation. \n4. The OpenShift Compliance Operator integration now supports using\nTailoredProfiles. \n5. The RHACS Jenkins plugin now provides additional security information. \n6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for\nCentral, the logs contain the Request URI and X-Forwarded-For header\nvalues. \n7. The default uid:gid pair for the Scanner image is now 65534:65534. \n8. RHACS adds a new default Scope Manager role that includes minimum\npermissions to create and modify access scopes. \n9. If microdnf is part of an image or shows up in process execution, RHACS\nreports it as a security violation for the Red Hat Package Manager in Image\nor the Red Hat Package Manager Execution security policies. \n10. In addition to manually uploading vulnerability definitions in offline\nmode, you can now upload definitions in online mode. \n11. You can now format the output of the following roxctl CLI commands in\ntable, csv, or JSON format: image scan, image check \u0026 deployment check\n12. You can now use a regular expression for the deployment name while\nspecifying policy exclusions\n\n3. Solution:\n\nTo take advantage of these new features, fixes and changes, please upgrade\nRed Hat Advanced Cluster Security for Kubernetes to version 3.67. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe\n1978144 - CVE-2021-32690 helm: information disclosure vulnerability\n1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet\n1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function\n2005445 - CVE-2021-3801 nodejs-prismjs: ReDoS vulnerability\n2006044 - CVE-2021-39293 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)\n2016640 - CVE-2020-27304 civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nRHACS-65 - Release RHACS 3.67.0\n\n6. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-20673\nhttps://access.redhat.com/security/cve/CVE-2019-5827\nhttps://access.redhat.com/security/cve/CVE-2019-13750\nhttps://access.redhat.com/security/cve/CVE-2019-13751\nhttps://access.redhat.com/security/cve/CVE-2019-17594\nhttps://access.redhat.com/security/cve/CVE-2019-17595\nhttps://access.redhat.com/security/cve/CVE-2019-18218\nhttps://access.redhat.com/security/cve/CVE-2019-19603\nhttps://access.redhat.com/security/cve/CVE-2019-20838\nhttps://access.redhat.com/security/cve/CVE-2020-12762\nhttps://access.redhat.com/security/cve/CVE-2020-13435\nhttps://access.redhat.com/security/cve/CVE-2020-14155\nhttps://access.redhat.com/security/cve/CVE-2020-16135\nhttps://access.redhat.com/security/cve/CVE-2020-24370\nhttps://access.redhat.com/security/cve/CVE-2020-27304\nhttps://access.redhat.com/security/cve/CVE-2021-3200\nhttps://access.redhat.com/security/cve/CVE-2021-3445\nhttps://access.redhat.com/security/cve/CVE-2021-3580\nhttps://access.redhat.com/security/cve/CVE-2021-3749\nhttps://access.redhat.com/security/cve/CVE-2021-3800\nhttps://access.redhat.com/security/cve/CVE-2021-3801\nhttps://access.redhat.com/security/cve/CVE-2021-20231\nhttps://access.redhat.com/security/cve/CVE-2021-20232\nhttps://access.redhat.com/security/cve/CVE-2021-20266\nhttps://access.redhat.com/security/cve/CVE-2021-22876\nhttps://access.redhat.com/security/cve/CVE-2021-22898\nhttps://access.redhat.com/security/cve/CVE-2021-22925\nhttps://access.redhat.com/security/cve/CVE-2021-23343\nhttps://access.redhat.com/security/cve/CVE-2021-23840\nhttps://access.redhat.com/security/cve/CVE-2021-23841\nhttps://access.redhat.com/security/cve/CVE-2021-27645\nhttps://access.redhat.com/security/cve/CVE-2021-28153\nhttps://access.redhat.com/security/cve/CVE-2021-29923\nhttps://access.redhat.com/security/cve/CVE-2021-32690\nhttps://access.redhat.com/security/cve/CVE-2021-33560\nhttps://access.redhat.com/security/cve/CVE-2021-33574\nhttps://access.redhat.com/security/cve/CVE-2021-35942\nhttps://access.redhat.com/security/cve/CVE-2021-36084\nhttps://access.redhat.com/security/cve/CVE-2021-36085\nhttps://access.redhat.com/security/cve/CVE-2021-36086\nhttps://access.redhat.com/security/cve/CVE-2021-36087\nhttps://access.redhat.com/security/cve/CVE-2021-39293\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n7. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYafeGdzjgjWX9erEAQgZ8Q/9H5ov4ZfKZszdJu0WvRMetEt6DMU2RTZr\nKjv4h4FnmsMDYYDocnkFvsRjcpdGxtoUShAqD6+FrTNXjPtA/v1tsQTJzhg4o50w\ntKa9T4aHfrYXjGvWgQXJJEGmGaYMYePUOv77x6pLfMB+FmgfOtb8kzOdNzAtqX3e\nlq8b2DrQuPSRiWkUgFM2hmS7OtUsqTIShqWu67HJdOY74qDN4DGp7GnG6inCrUjV\nx4/4X5Fb7JrAYiy57C5eZwYW61HmrG7YHk9SZTRYgRW0rfgLncVsny4lX1871Ch2\ne8ttu0EJFM1EJyuCJwJd1Q+rhua6S1VSY+etLUuaYme5DtvozLXQTLUK31qAq/hK\nqnLYQjaSieea9j1dV6YNHjnvV0XGczyZYwzmys/CNVUxwvSHr1AJGmQ3zDeOt7Qz\nvguWmPzyiob3RtHjfUlUpPYeI6HVug801YK6FAoB9F2BW2uHVgbtKOwG5pl5urJt\nG4taizPtH8uJj5hem5nHnSE1sVGTiStb4+oj2LQonRkgLQ2h7tsX8Z8yWM/3TwUT\nPTBX9AIHwt8aCx7XxTeEIs0H9B1T9jYfy06o9H2547un9sBoT0Sm7fqKuJKic8N/\npJ2kXBiVJ9B4G+JjWe8rh1oC1yz5Q5/5HZ19VYBjHhYEhX4s9s2YsF1L1uMoT3NN\nT0pPNmsPGZY=\n=ux5P\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Bugs fixed (https://bugzilla.redhat.com/):\n\n1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option\n1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33574"
},
{
"db": "VULHUB",
"id": "VHN-393646"
},
{
"db": "VULMON",
"id": "CVE-2021-33574"
},
{
"db": "PACKETSTORM",
"id": "165286"
},
{
"db": "PACKETSTORM",
"id": "164863"
},
{
"db": "PACKETSTORM",
"id": "165631"
},
{
"db": "PACKETSTORM",
"id": "166051"
},
{
"db": "PACKETSTORM",
"id": "164967"
},
{
"db": "PACKETSTORM",
"id": "165096"
},
{
"db": "PACKETSTORM",
"id": "165129"
},
{
"db": "PACKETSTORM",
"id": "165002"
},
{
"db": "PACKETSTORM",
"id": "165758"
}
],
"trust": 1.89
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2021-33574",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "165758",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "166051",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "164863",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "166308",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "163406",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "165862",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021092807",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021070604",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021100416",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3935",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4254",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4172",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0394",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3785",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4095",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4019",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3905",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4229",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4059",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5140",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3214",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0245",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3336",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0716",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.1071",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0493",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3398",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-393646",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-33574",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165286",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165631",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164967",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165096",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165129",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165002",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393646"
},
{
"db": "VULMON",
"id": "CVE-2021-33574"
},
{
"db": "PACKETSTORM",
"id": "165286"
},
{
"db": "PACKETSTORM",
"id": "164863"
},
{
"db": "PACKETSTORM",
"id": "165631"
},
{
"db": "PACKETSTORM",
"id": "166051"
},
{
"db": "PACKETSTORM",
"id": "164967"
},
{
"db": "PACKETSTORM",
"id": "165096"
},
{
"db": "PACKETSTORM",
"id": "165129"
},
{
"db": "PACKETSTORM",
"id": "165002"
},
{
"db": "PACKETSTORM",
"id": "165758"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
},
{
"db": "NVD",
"id": "CVE-2021-33574"
}
]
},
"id": "VAR-202105-1306",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-393646"
}
],
"trust": 0.01
},
"last_update_date": "2026-03-09T22:22:11.321000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Debian CVElist Bug Report Logs: glibc: CVE-2021-33574: mq_notify does not handle separately allocated thread attributes",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=7a9966ec919351d3328669aa69ea5e39"
},
{
"title": "Red Hat: CVE-2021-33574",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-33574"
},
{
"title": "Amazon Linux 2: ALAS2-2022-1736",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2022-1736"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-33574 log"
},
{
"title": "Red Hat: Moderate: Release of OpenShift Serverless 1.20.0",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220434 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat OpenShift distributed tracing 2.1.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220318 - Security Advisory"
},
{
"title": "Red Hat: Important: Release of containers for OSP 16.2 director operator tech preview",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220842 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat OpenShift GitOps security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220580 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220856 - Security Advisory"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2021-33574 "
},
{
"title": "CVE-2021-33574",
"trust": 0.1,
"url": "https://github.com/JamesGeee/CVE-2021-33574 "
},
{
"title": "cks-notes",
"trust": 0.1,
"url": "https://github.com/ruzickap/cks-notes "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2021-38604 "
},
{
"title": "ochacafe-s5-3",
"trust": 0.1,
"url": "https://github.com/oracle-japan/ochacafe-s5-3 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-33574"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-416",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393646"
},
{
"db": "NVD",
"id": "CVE-2021-33574"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20210629-0005/"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202107-07"
},
{
"trust": 1.7,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=27896"
},
{
"trust": 1.7,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=27896#c1"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/kjyyimddyohtp2porlabtohyqyyrezdd/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rbuuwugxvilqxvweou7n42ichpjnaeup/"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2021-27645"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2021-33574"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2021-35942"
},
{
"trust": 0.9,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.9,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-16135"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3200"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-5827"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-13435"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-5827"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-24370"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-13751"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-19603"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-17594"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-12762"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-36086"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13750"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13751"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-22898"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12762"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-16135"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-36084"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3800"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17594"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-36087"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3445"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13435"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19603"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-22925"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-18218"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-20232"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-20838"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-22876"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-20231"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-14155"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20838"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-36085"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-33560"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-17595"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14155"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-28153"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-13750"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-18218"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3580"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17595"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rbuuwugxvilqxvweou7n42ichpjnaeup/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/kjyyimddyohtp2porlabtohyqyyrezdd/"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24370"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2021-3572"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2021-20266"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2021-3426"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2021-3778"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2021-42574"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2021-3796"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27645"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0245"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3905"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6526524"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.1071"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4019"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3398"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/165862/red-hat-security-advisory-2022-0434-05.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5140"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/glibc-use-after-free-via-mq-notify-35692"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3336"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3214"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0716"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092807"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0394"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0493"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3935"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164863/red-hat-security-advisory-2021-4358-03.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4229"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4059"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/166051/red-hat-security-advisory-2022-0580-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021070604"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021100416"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4254"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3785"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/165758/red-hat-security-advisory-2022-0318-06.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4095"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4172"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163406/gentoo-linux-security-advisory-202107-07.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/166308/red-hat-security-advisory-2022-0842-01.html"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2021-23841"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2021-23840"
},
{
"trust": 0.5,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22876"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20231"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22925"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-22898"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20232"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20673"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-14145"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14145"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-3712"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-20673"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-28153"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20266"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-25013"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25012"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-35522"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-35524"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25013"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25009"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-43527"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-25014"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-25012"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-35521"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-17541"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-36331"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-31535"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-36330"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-36332"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25010"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25014"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-3481"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-25009"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-25010"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-35523"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33574"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23841"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23840"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-17541"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-37750"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10001"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-4658"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-4658"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10001"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-20271"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33560"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3200"
},
{
"trust": 0.2,
"url": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-29923"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35524"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37136"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44228"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35523"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:5128"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37137"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21409"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-36330"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:4358"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-35942"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27823"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3733"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1870"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3575"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30758"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13558"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15389"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33938"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-5727"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33929"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5785"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-41617"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30665"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12973"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30689"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20847"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30682"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33928"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22946"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-18032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1801"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33930"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1765"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-20845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26927"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-20847"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27918"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30749"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30795"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-5785"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1788"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5727"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30744"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21775"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21806"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27814"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36241"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30797"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13558"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20321"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27842"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1799"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21779"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29623"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3948"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22947"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27828"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12973"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1844"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1871"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29338"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30734"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26926"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28650"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24870"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-1789"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30663"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30799"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3272"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0202"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15389"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27824"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0580"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-40346"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-39241"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24348"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20271"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23133"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3573"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26141"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27777"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26147"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14615"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36386"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29650"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24587"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26144"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29155"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33033"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20197"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3487"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-0427"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36312"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-31829"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-31440"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26145"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3564"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-35448"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3489"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24503"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28971"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26146"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26139"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3679"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24588"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36158"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24504"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33194"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3348"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24503"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20284"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29646"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-0427"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14615"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24502"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-0129"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3635"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26143"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29368"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20194"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3659"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33200"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29660"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26140"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3600"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24586"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20239"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24502"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3732"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28950"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:4627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-31916"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:4845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20095"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28493"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-42771"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26301"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26301"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28957"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8037"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8037"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20095"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28493"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23343"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27304"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-32690"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-39293"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3749"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:4902"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23343"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27304"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3801"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23369"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23383"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23369"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23383"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:4032"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3445"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/latest/distr_tracing/distr_tracing_install/distr-tracing-updating.html"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/latest/distr_tracing/distributed-tracing-release-notes.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0318"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36221"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-29923"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3426"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-393646"
},
{
"db": "PACKETSTORM",
"id": "165286"
},
{
"db": "PACKETSTORM",
"id": "164863"
},
{
"db": "PACKETSTORM",
"id": "165631"
},
{
"db": "PACKETSTORM",
"id": "166051"
},
{
"db": "PACKETSTORM",
"id": "164967"
},
{
"db": "PACKETSTORM",
"id": "165096"
},
{
"db": "PACKETSTORM",
"id": "165129"
},
{
"db": "PACKETSTORM",
"id": "165002"
},
{
"db": "PACKETSTORM",
"id": "165758"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
},
{
"db": "NVD",
"id": "CVE-2021-33574"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-393646",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2021-33574",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165286",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164863",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165631",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "166051",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164967",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165096",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165129",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165002",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "165758",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2021-33574",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2021-05-25T00:00:00",
"db": "VULHUB",
"id": "VHN-393646",
"ident": null
},
{
"date": "2021-05-25T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33574",
"ident": null
},
{
"date": "2021-12-15T15:20:33",
"db": "PACKETSTORM",
"id": "165286",
"ident": null
},
{
"date": "2021-11-10T17:08:43",
"db": "PACKETSTORM",
"id": "164863",
"ident": null
},
{
"date": "2022-01-20T17:48:29",
"db": "PACKETSTORM",
"id": "165631",
"ident": null
},
{
"date": "2022-02-18T16:37:39",
"db": "PACKETSTORM",
"id": "166051",
"ident": null
},
{
"date": "2021-11-15T17:25:56",
"db": "PACKETSTORM",
"id": "164967",
"ident": null
},
{
"date": "2021-11-29T18:12:32",
"db": "PACKETSTORM",
"id": "165096",
"ident": null
},
{
"date": "2021-12-02T16:06:16",
"db": "PACKETSTORM",
"id": "165129",
"ident": null
},
{
"date": "2021-11-17T15:25:40",
"db": "PACKETSTORM",
"id": "165002",
"ident": null
},
{
"date": "2022-01-28T14:33:13",
"db": "PACKETSTORM",
"id": "165758",
"ident": null
},
{
"date": "2021-05-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1666",
"ident": null
},
{
"date": "2021-05-25T22:15:10.410000",
"db": "NVD",
"id": "CVE-2021-33574",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2022-11-08T00:00:00",
"db": "VULHUB",
"id": "VHN-393646",
"ident": null
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-33574",
"ident": null
},
{
"date": "2022-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1666",
"ident": null
},
{
"date": "2023-11-07T03:35:52.810000",
"db": "NVD",
"id": "CVE-2021-33574",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "165129"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "GNU C Library Resource Management Error Vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-1666"
}
],
"trust": 0.6
}
}
VAR-201501-0737
Vulnerability from variot - Updated: 2026-03-09 21:40Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST.". This vulnerability has been assigned CVE-2015-0235, and is referred to in the media by the name "GHOST". eglibc The package contains a classic buffer overflow vulnerability.Denial of service (DoS) May be in a state. GNU glibc is prone to a heap-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts may crash the application, denying service to legitimate users. CVE-ID CVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of Tsinghua University, Jian Jiang of University of California, Berkeley, Haixin Duan of Tsinghua University and International Computer Science Institute, Shuo Chen of Microsoft Research Redmond, Tao Wan of Huawei Canada, Nicholas Weaver of International Computer Science Institute and University of California, Berkeley, coordinated via CERT/CC
configd Available for: OS X El Capitan 10.11 Impact: A malicious application may be able to elevate privileges Description: A heap based buffer overflow issue existed in the DNS client library. A malicious application with the ability to spoof responses from the local configd service may have been able to cause arbitrary code execution in DNS clients. CVE-ID CVE-2015-6994 : Mark Mentovai of Google Inc. A developer-signed app could bypass restrictions on use of restricted entitlements and elevate privileges. These issues were addressed by using patches affecting OS X from upstream. This was addressed by disabling synthetic clicks for keychain access windows. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
OS X El Capitan 10.11 is now available and addresses the following:
Address Book Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to inject arbitrary code to processes loading the Address Book framework Description: An issue existed in Address Book framework's handling of an environment variable. This issue was addressed through improved environment variable handling. CVE-ID CVE-2015-5897 : Dan Bastone of Gotham Digital Science
AirScan Available for: Mac OS X v10.6.8 and later Impact: An attacker with a privileged network position may be able to extract payload from eSCL packets sent over a secure connection Description: An issue existed in the processing of eSCL packets. This issue was addressed through improved validation checks. CVE-ID CVE-2015-5853 : an anonymous researcher
apache_mod_php Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.27, including one which may have led to remote code execution. This issue was addressed by updating PHP to version 5.5.27. CVE-ID CVE-2014-9425 CVE-2014-9427 CVE-2014-9652 CVE-2014-9705 CVE-2014-9709 CVE-2015-0231 CVE-2015-0232 CVE-2015-0235 CVE-2015-0273 CVE-2015-1351 CVE-2015-1352 CVE-2015-2301 CVE-2015-2305 CVE-2015-2331 CVE-2015-2348 CVE-2015-2783 CVE-2015-2787 CVE-2015-3329 CVE-2015-3330
Apple Online Store Kit Available for: Mac OS X v10.6.8 and later Impact: A malicious application may gain access to a user's keychain items Description: An issue existed in validation of access control lists for iCloud keychain items. This issue was addressed through improved access control list checks. CVE-ID CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of Indiana University, Tongxin Li of Peking University, Tongxin Li of Peking University, Xiaolong Bai of Tsinghua University
AppleEvents Available for: Mac OS X v10.6.8 and later Impact: A user connected through screen sharing can send Apple Events to a local user's session Description: An issue existed with Apple Event filtering that allowed some users to send events to other users. This was addressed by improved Apple Event handling. CVE-ID CVE-2015-5849 : Jack Lawrence (@_jackhl)
Audio Available for: Mac OS X v10.6.8 and later Impact: Playing a malicious audio file may lead to an unexpected application termination Description: A memory corruption issue existed in the handling of audio files. This issue issue was addressed through improved memory handling. CVE-ID CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.: Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
bash Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in bash Description: Multiple vulnerabilities existed in bash versions prior to 3.2 patch level 57. These issues were addressed by updating bash version 3.2 to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187
Certificate Trust Policy Available for: Mac OS X v10.6.8 and later Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at https://support.apple.com/en- us/HT202858.
CFNetwork Cookies Available for: Mac OS X v10.6.8 and later Impact: An attacker in a privileged network position can track a user's activity Description: A cross-domain cookie issue existed in the handling of top level domains. The issue was address through improved restrictions of cookie creation. CVE-ID CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork FTPProtocol Available for: Mac OS X v10.6.8 and later Impact: Malicious FTP servers may be able to cause the client to perform reconnaissance on other hosts Description: An issue existed in the handling of FTP packets when using the PASV command. This issue was resolved through improved validation. CVE-ID CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol Available for: Mac OS X v10.6.8 and later Impact: A maliciously crafted URL may be able to bypass HSTS and leak sensitive data Description: A URL parsing vulnerability existed in HSTS handling. This issue was addressed through improved URL parsing. CVE-ID CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork HTTPProtocol Available for: Mac OS X v10.6.8 and later Impact: A malicious website may be able to track users in Safari private browsing mode Description: An issue existed in the handling of HSTS state in Safari private browsing mode. This issue was addressed through improved state handling. CVE-ID CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies Available for: Mac OS X v10.6.8 and later Impact: Connecting to a malicious web proxy may set malicious cookies for a website Description: An issue existed in the handling of proxy connect responses. This issue was addressed by removing the set-cookie header while parsing the connect response. CVE-ID CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork SSL Available for: Mac OS X v10.6.8 and later Impact: An attacker with a privileged network position may intercept SSL/TLS connections Description: A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation. CVE-ID CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of RC4. An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4. This issue was addressed by removing the fallback to SSL 3.0.
CoreCrypto Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to determine a private key Description: By observing many signing or decryption attempts, an attacker may have been able to determine the RSA private key. This issue was addressed using improved encryption algorithms.
CoreText Available for: Mac OS X v10.6.8 and later Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Dev Tools Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in dyld. This was addressed through improved memory handling. CVE-ID CVE-2015-5876 : beist of grayhash
Dev Tools Available for: Mac OS X v10.6.8 and later Impact: An application may be able to bypass code signing Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5839 : @PanguTeam
Disk Images Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in DiskImages. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5847 : Filippo Bigarella, Luca Todesco
dyld Available for: Mac OS X v10.6.8 and later Impact: An application may be able to bypass code signing Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5839 : TaiG Jailbreak Team
EFI Available for: Mac OS X v10.6.8 and later Impact: A malicious application can prevent some systems from booting Description: An issue existed with the addresses covered by the protected range register. This issue was fixed by changing the protected range. CVE-ID CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore
EFI Available for: Mac OS X v10.6.8 and later Impact: A malicious Apple Ethernet Thunderbolt adapter may be able to affect firmware flashing Description: Apple Ethernet Thunderbolt adapters could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare
Finder Available for: Mac OS X v10.6.8 and later Impact: The "Secure Empty Trash" feature may not securely delete files placed in the Trash Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the "Secure Empty Trash" option. CVE-ID CVE-2015-5901 : Apple
Game Center Available for: Mac OS X v10.6.8 and later Impact: A malicious Game Center application may be able to access a player's email address Description: An issue existed in Game Center in the handling of a player's email. This issue was addressed through improved access restrictions. CVE-ID CVE-2015-5855 : Nasser Alnasser
Heimdal Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to replay Kerberos credentials to the SMB server Description: An authentication issue existed in Kerberos credentials. This issue was addressed through additional validation of credentials using a list of recently seen credentials. CVE-ID CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu Fan of Microsoft Corporation, China
ICU Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in ICU Description: Multiple vulnerabilities existed in ICU versions prior to 53.1.0. These issues were addressed by updating ICU to version 55.1. CVE-ID CVE-2014-8146 CVE-2014-8147 CVE-2015-5922
Install Framework Legacy Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to gain root privileges Description: A restriction issue existed in the Install private framework containing a privileged executable. This issue was addressed by removing the executable. CVE-ID CVE-2015-5888 : Apple
Intel Graphics Driver Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in the Intel Graphics Driver. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5830 : Yuki MIZUNO (@mzyy94) CVE-2015-5877 : Camillus Gerard Cai
IOAudioFamily Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in IOAudioFamily that led to the disclosure of kernel memory content. This issue was addressed by permuting kernel pointers. CVE-ID CVE-2015-5864 : Luca Todesco
IOGraphics Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5871 : Ilja van Sprundel of IOActive CVE-2015-5872 : Ilja van Sprundel of IOActive CVE-2015-5873 : Ilja van Sprundel of IOActive CVE-2015-5890 : Ilja van Sprundel of IOActive
IOGraphics Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in IOGraphics which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management. CVE-ID CVE-2015-5865 : Luca Todesco
IOHIDFamily Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5866 : Apple CVE-2015-5867 : moony li of Trend Micro
IOStorageFamily Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to read kernel memory Description: A memory initialization issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5863 : Ilja van Sprundel of IOActive
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the Kernel. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team CVE-2015-5896 : Maxime Villard of m00nbsd CVE-2015-5903 : CESG
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local process can modify other processes without entitlement checks Description: An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through additional entitlement checks. CVE-ID CVE-2015-5882 : Pedro Vilaca, working from original research by Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local attacker may control the value of stack cookies Description: Multiple weaknesses existed in the generation of user space stack cookies. These issues were addressed through improved generation of stack cookies. CVE-ID CVE-2013-3951 : Stefan Esser
Kernel Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to launch denial of service attacks on targeted TCP connections without knowing the correct sequence number Description: An issue existed in xnu's validation of TCP packet headers. This issue was addressed through improved TCP packet header validation. CVE-ID CVE-2015-5879 : Jonathan Looney
Kernel Available for: Mac OS X v10.6.8 and later Impact: An attacker in a local LAN segment may disable IPv6 routing Description: An insufficient validation issue existed in the handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit. CVE-ID CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed that led to the disclosure of kernel memory layout. This was addressed through improved initialization of kernel memory structures. CVE-ID CVE-2015-5842 : beist of grayhash
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in debugging interfaces that led to the disclosure of memory content. This issue was addressed by sanitizing output from debugging interfaces. CVE-ID CVE-2015-5870 : Apple
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to cause a system denial of service Description: A state management issue existed in debugging functionality. This issue was addressed through improved validation. CVE-ID CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team
libc Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse Corporation
libpthread Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
libxpc Available for: Mac OS X v10.6.8 and later Impact: Many SSH connections could cause a denial of service Description: launchd had no limit on the number of processes that could be started by a network connection. This issue was addressed by limiting the number of SSH processes to 40. CVE-ID CVE-2015-5881 : Apple
Login Window Available for: Mac OS X v10.6.8 and later Impact: The screen lock may not engage after the specified time period Description: An issue existed with captured display locking. The issue was addressed through improved lock handling. CVE-ID CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni Vaahtera, and an anonymous researcher
lukemftpd Available for: Mac OS X v10.6.8 and later Impact: A remote attacker may be able to deny service to the FTP server Description: A glob-processing issue existed in tnftpd. This issue was addressed through improved glob validation. CVE-ID CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com
Mail Available for: Mac OS X v10.6.8 and later Impact: Printing an email may leak sensitive user information Description: An issue existed in Mail which bypassed user preferences when printing an email. This issue was addressed through improved user preference enforcement. CVE-ID CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya, Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim Technology Partners
Mail Available for: Mac OS X v10.6.8 and later Impact: An attacker in a privileged network position may be able to intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop Description: An issue existed in handling encryption parameters for large email attachments sent via Mail Drop. The issue is addressed by no longer offering Mail Drop when sending an encrypted e-mail. CVE-ID CVE-2015-5884 : John McCombs of Integrated Mapping Ltd
Multipeer Connectivity Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to observe unprotected multipeer data Description: An issue existed in convenience initializer handling in which encryption could be actively downgraded to a non-encrypted session. This issue was addressed by changing the convenience initializer to require encryption. CVE-ID CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to determine kernel memory layout Description: An uninitialized memory issue in the kernel led to the disclosure of kernel memory content. This issue was addressed through improved memory initialization. CVE-ID CVE-2015-5831 : Maxime Villard of m00nbsd
Notes Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to leak sensitive user information Description: An issue existed in parsing links in the Notes application. This issue was addressed through improved input validation. CVE-ID CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher
Notes Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to leak sensitive user information Description: A cross-site scripting issue existed in parsing text by the Notes application. This issue was addressed through improved input validation. CVE-ID CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)
OpenSSH Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in OpenSSH Description: Multiple vulnerabilities existed in OpenSSH versions prior to 6.9. These issues were addressed by updating OpenSSH to version 6.9. CVE-ID CVE-2014-2532
OpenSSL Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg. CVE-ID CVE-2015-0286 CVE-2015-0287
procmail Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in procmail Description: Multiple vulnerabilities existed in procmail versions prior to 3.22. These issues were addressed by removing procmail. CVE-ID CVE-2014-3618
remote_cmds Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with root privileges Description: An issue existed in the usage of environment variables by the rsh binary. This issue was addressed by dropping setuid privileges from the rsh binary. CVE-ID CVE-2015-5889 : Philip Pettersson
removefile Available for: Mac OS X v10.6.8 and later Impact: Processing malicious data may lead to unexpected application termination Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines. CVE-ID CVE-2015-5840 : an anonymous researcher
Ruby Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in Ruby Description: Multiple vulnerabilities existed in Ruby versions prior to 2.0.0p645. These were addressed by updating Ruby to version 2.0.0p645. CVE-ID CVE-2014-8080 CVE-2014-8090 CVE-2015-1855
Security Available for: Mac OS X v10.6.8 and later Impact: The lock state of the keychain may be incorrectly displayed to the user Description: A state management issue existed in the way keychain lock status was tracked. This issue was addressed through improved state management. CVE-ID CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron, Eric E. Lawrence, Apple
Security Available for: Mac OS X v10.6.8 and later Impact: A trust evaluation configured to require revocation checking may succeed even if revocation checking fails Description: The kSecRevocationRequirePositiveResponse flag was specified but not implemented. This issue was addressed by implementing the flag. CVE-ID CVE-2015-5894 : Hannes Oud of kWallet GmbH
Security Available for: Mac OS X v10.6.8 and later Impact: A remote server may prompt for a certificate before identifying itself Description: Secure Transport accepted the CertificateRequest message before the ServerKeyExchange message. This issue was addressed by requiring the ServerKeyExchange first. CVE-ID CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute
SMB Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5891 : Ilja van Sprundel of IOActive
SMB Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in SMBClient that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5893 : Ilja van Sprundel of IOActive
SQLite Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in SQLite v3.8.5 Description: Multiple vulnerabilities existed in SQLite v3.8.5. These issues were addressed by updating SQLite to version 3.8.10.2. CVE-ID CVE-2015-3414 CVE-2015-3415 CVE-2015-3416
Telephony Available for: Mac OS X v10.6.8 and later Impact: A local attacker can place phone calls without the user's knowledge when using Continuity Description: An issue existed in the authorization checks for placing phone calls. This issue was addressed through improved authorization checks. CVE-ID CVE-2015-3785 : Dan Bastone of Gotham Digital Science
Terminal Available for: Mac OS X v10.6.8 and later Impact: Maliciously crafted text could mislead the user in Terminal Description: Terminal did not handle bidirectional override characters in the same way when displaying text and when selecting text. This issue was addressed by suppressing bidirectional override characters in Terminal. CVE-ID CVE-2015-5883 : an anonymous researcher
tidy Available for: Mac OS X v10.6.8 and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in tidy. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5522 : Fernando Munoz of NULLGroup.com CVE-2015-5523 : Fernando Munoz of NULLGroup.com
Time Machine Available for: Mac OS X v10.6.8 and later Impact: A local attacker may gain access to keychain items Description: An issue existed in backups by the Time Machine framework. This issue was addressed through improved coverage of Time Machine backups. CVE-ID CVE-2015-5854 : Jonas Magazinius of Assured AB
Note: OS X El Capitan 10.11 includes the security content of Safari 9: https://support.apple.com/kb/HT205265.
OS X El Capitan 10.11 may be obtained from the Mac App Store: http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw S5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO /hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6 QhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54 YJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop hpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O c3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR 8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r N1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT fJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1 nJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e g6jld/w5tPuCFhGucE7Z =XciV -----END PGP SIGNATURE----- . Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector. The validity of the password hashes and the embedded keys were also verified by emulating the device. The outdated version was found by IoT Inspector. The outdated version was found by IoT Inspector.
3) Hardcoded Credentials (CVE-2019-12550) The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.
4) Embedded Private Keys (CVE-2019-12549) The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key. A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability.
3) Hardcoded Credentials (CVE-2019-12550) The following credentials were found in the 'passwd' file of the firmware: root No password is set for the account [EMPTY PASSWORD] admin
By using these credentials, it's possible to connect via Telnet and SSH on the emulated device. Example for Telnet:
[root@localhost ~]# telnet 192.168.0.133 Trying 192.168.0.133... Connected to 192.168.0.133. Escape character is '^]'.
L2SWITCH login: root Password: ~ #
Example for SSH:
[root@localhost ~]# ssh 192.168.0.133 root@192.168.0.133's password: ~ #
4) Embedded Private Keys (CVE-2019-12549) The following host key fingerprint is shown by accessing the SSH daemon on the emulated device:
[root@localhost ~]# ssh 192.168.0.133 The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established. RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.
This matches the embedded private key (which has been removed from this advisory): SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2
Vulnerable / tested versions:
According to the vendor, the following versions are affected: * 852-303: <v1.2.2.S0 * 852-1305: <v1.1.6.S0 * 852-1505: <v1.1.5.S0
Vendor contact timeline:
2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation 2019-03-26: Asking for a status update, VDE CERT is still waiting for details 2019-03-28: VDE CERT requests information from WAGO again 2019-04-09: Asking for a status update 2019-04-11: VDE CERT: patched firmware release planned for end of May, requested postponement of advisory release 2019-04-16: VDE CERT: update regarding affected firmware versions 2019-04-24: Confirming advisory release for beginning of June 2019-05-20: Asking for a status update 2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date 2019-05-29: Asking for a status update 2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published on 7th June, SEC Consult proposes new advisory release date for 12th June 2019-06-07: VDE CERT provides security advisory information from WAGO; WAGO releases security patches 2019-06-12: Coordinated release of security advisory
Solution:
The vendor provides patches to their customers at their download page. The following versions fix the issues: * 852-303: v1.2.2.S0 * 852-1305: v1.1.6.S0 * 852-1505: v1.1.5.S0
According to the vendor, busybox and glibc have been updated and the embedded private keys are being newly generated upon first boot and after a factory reset. The root login via Telnet and SSH has been disabled and the admin account is documented and can be changed by the customer.
Workaround:
Restrict network access to the device & SSH server. Weber / @2019
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04602055
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04602055 Version: 1
HPSBHF03289 rev.1- HP ThinClient PCs running ThinPro Linux, Remote Code Execution, Denial of Service, Disclosure of information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2015-03-20 Last Updated: 2015-03-20
Potential Security Impact: Remote code execution, denial of service, disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP ThinPro Linux This is the glibc vulnerability known as "GHOST", which could be exploited remotely to allow execution of arbitrary code. This update also addresses other vulnerabilities in SSL that would remotely allow denial of service, disclosure of information and other vulnerabilities.
References:
CVE-2015-0235 (SSRT101953) CVE-2014-3569 CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ThinPro Linux (x86) v5.1 HP ThinPro Linux (x86) v5.0 HP ThinPro Linux (x86) v4.4 HP ThinPro Linux (x86) v4.3 HP ThinPro Linux (x86) v4.2 HP ThinPro Linux (x86) v4.1 HP ThinPro Linux (ARM) v4.4 HP ThinPro Linux (ARM) v4.3 HP ThinPro Linux (ARM) v4.2 HP ThinPro Linux (ARM) v4.1
BACKGROUND
CVSS 2.0 Base Metrics
Reference Base Vector Base Score CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2015-0235 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has released the following software updates to resolve the vulnerability for HP ThinPro Linux.
Softpaq: http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe
Easy Update Via ThinPro / EasyUpdate (x86):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all- 4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all- 4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all- 4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all- 4.4-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all- 5.0-5.1-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all- 5.0-5.1-x86.xar
Via ThinPro / EasyUpdate (ARM):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all- 4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all- 4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all- 4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all- 4.4-armel.xar
Note: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch applied, VMware cannot connect if security level is set to "Refuse insecure connections". Updating VMware to the latest package on ftp.hp.com will solve the problem.
HISTORY Version:1 (rev.1) - 20 March 2015 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
The original glibc bug was reported by Peter Klotz.
CVE-2014-7817
Tim Waugh of Red Hat discovered that the WRDE_NOCMD option of the
wordexp function did not suppress command execution in all cases.
This allows a context-dependent attacker to execute shell
commands.
CVE-2012-6656 CVE-2014-6040
The charset conversion code for certain IBM multi-byte code pages
could perform an out-of-bounds array access, causing the process
to crash. In some scenarios, this allows a remote attacker to
cause a persistent denial of service.
For the upcoming stable distribution (jessie) and the unstable distribution (sid), the CVE-2015-0235 issue has been fixed in version 2.18-1 of the glibc package.
We recommend that you upgrade your eglibc packages.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 https://rhn.redhat.com/errata/RHSA-2015-0092.html
Updated Packages:
Mandriva Business Server 1/X86_64: 678efef85b85206451ef8927bad808e0 mbs1/x86_64/glibc-2.14.1-12.11.mbs1.x86_64.rpm 46cd508f03e36c1e4f752c317852ec8e mbs1/x86_64/glibc-devel-2.14.1-12.11.mbs1.x86_64.rpm 069302c80e3b79504e2b0eaaa72c2745 mbs1/x86_64/glibc-doc-2.14.1-12.11.mbs1.noarch.rpm 3a841c0295823354655dd3e7734ada0b mbs1/x86_64/glibc-doc-pdf-2.14.1-12.11.mbs1.noarch.rpm 11a672a0b4bae77c7adfa803bea9871f mbs1/x86_64/glibc-i18ndata-2.14.1-12.11.mbs1.x86_64.rpm d3f113ccec4f18e4bb08c951625e51d7 mbs1/x86_64/glibc-profile-2.14.1-12.11.mbs1.x86_64.rpm f6d6aa5806dd747e66996ea8cc01c9b4 mbs1/x86_64/glibc-static-devel-2.14.1-12.11.mbs1.x86_64.rpm 98cc6eae0234eeed945712bbc8b2c0ea mbs1/x86_64/glibc-utils-2.14.1-12.11.mbs1.x86_64.rpm bf6f2fcc3dd21bd8380aac40e91bb802 mbs1/x86_64/nscd-2.14.1-12.11.mbs1.x86_64.rpm f597e4d6241c76701733d730e84f5714 mbs1/SRPMS/glibc-2.14.1-12.11.mbs1.src.rpm
To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Critical: glibc security update Advisory ID: RHSA-2015:0092-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0092.html Issue date: 2015-01-27 CVE Names: CVE-2015-0235 =====================================================================
- Summary:
Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. (CVE-2015-0235)
Red Hat would like to thank Qualys for reporting this issue.
All glibc users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: glibc-2.12-1.149.el6_6.5.src.rpm
i386: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-headers-2.12-1.149.el6_6.5.i686.rpm glibc-utils-2.12-1.149.el6_6.5.i686.rpm nscd-2.12-1.149.el6_6.5.i686.rpm
x86_64: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-2.12-1.149.el6_6.5.x86_64.rpm glibc-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm nscd-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm
x86_64: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: glibc-2.12-1.149.el6_6.5.src.rpm
x86_64: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-2.12-1.149.el6_6.5.x86_64.rpm glibc-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm nscd-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: glibc-2.12-1.149.el6_6.5.src.rpm
i386: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-headers-2.12-1.149.el6_6.5.i686.rpm glibc-utils-2.12-1.149.el6_6.5.i686.rpm nscd-2.12-1.149.el6_6.5.i686.rpm
ppc64: glibc-2.12-1.149.el6_6.5.ppc.rpm glibc-2.12-1.149.el6_6.5.ppc64.rpm glibc-common-2.12-1.149.el6_6.5.ppc64.rpm glibc-debuginfo-2.12-1.149.el6_6.5.ppc.rpm glibc-debuginfo-2.12-1.149.el6_6.5.ppc64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.ppc.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.ppc64.rpm glibc-devel-2.12-1.149.el6_6.5.ppc.rpm glibc-devel-2.12-1.149.el6_6.5.ppc64.rpm glibc-headers-2.12-1.149.el6_6.5.ppc64.rpm glibc-utils-2.12-1.149.el6_6.5.ppc64.rpm nscd-2.12-1.149.el6_6.5.ppc64.rpm
s390x: glibc-2.12-1.149.el6_6.5.s390.rpm glibc-2.12-1.149.el6_6.5.s390x.rpm glibc-common-2.12-1.149.el6_6.5.s390x.rpm glibc-debuginfo-2.12-1.149.el6_6.5.s390.rpm glibc-debuginfo-2.12-1.149.el6_6.5.s390x.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.s390.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.s390x.rpm glibc-devel-2.12-1.149.el6_6.5.s390.rpm glibc-devel-2.12-1.149.el6_6.5.s390x.rpm glibc-headers-2.12-1.149.el6_6.5.s390x.rpm glibc-utils-2.12-1.149.el6_6.5.s390x.rpm nscd-2.12-1.149.el6_6.5.s390x.rpm
x86_64: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-2.12-1.149.el6_6.5.x86_64.rpm glibc-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm nscd-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm
ppc64: glibc-debuginfo-2.12-1.149.el6_6.5.ppc.rpm glibc-debuginfo-2.12-1.149.el6_6.5.ppc64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.ppc.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.ppc64.rpm glibc-static-2.12-1.149.el6_6.5.ppc.rpm glibc-static-2.12-1.149.el6_6.5.ppc64.rpm
s390x: glibc-debuginfo-2.12-1.149.el6_6.5.s390.rpm glibc-debuginfo-2.12-1.149.el6_6.5.s390x.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.s390.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.s390x.rpm glibc-static-2.12-1.149.el6_6.5.s390.rpm glibc-static-2.12-1.149.el6_6.5.s390x.rpm
x86_64: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: glibc-2.12-1.149.el6_6.5.src.rpm
i386: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-headers-2.12-1.149.el6_6.5.i686.rpm glibc-utils-2.12-1.149.el6_6.5.i686.rpm nscd-2.12-1.149.el6_6.5.i686.rpm
x86_64: glibc-2.12-1.149.el6_6.5.i686.rpm glibc-2.12-1.149.el6_6.5.x86_64.rpm glibc-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-devel-2.12-1.149.el6_6.5.i686.rpm glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm nscd-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm
x86_64: glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm glibc-static-2.12-1.149.el6_6.5.i686.rpm glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source: glibc-2.17-55.el7_0.5.src.rpm
x86_64: glibc-2.17-55.el7_0.5.i686.rpm glibc-2.17-55.el7_0.5.x86_64.rpm glibc-common-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-devel-2.17-55.el7_0.5.i686.rpm glibc-devel-2.17-55.el7_0.5.x86_64.rpm glibc-headers-2.17-55.el7_0.5.x86_64.rpm glibc-utils-2.17-55.el7_0.5.x86_64.rpm nscd-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-static-2.17-55.el7_0.5.i686.rpm glibc-static-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: glibc-2.17-55.el7_0.5.src.rpm
x86_64: glibc-2.17-55.el7_0.5.i686.rpm glibc-2.17-55.el7_0.5.x86_64.rpm glibc-common-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-devel-2.17-55.el7_0.5.i686.rpm glibc-devel-2.17-55.el7_0.5.x86_64.rpm glibc-headers-2.17-55.el7_0.5.x86_64.rpm glibc-utils-2.17-55.el7_0.5.x86_64.rpm nscd-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-static-2.17-55.el7_0.5.i686.rpm glibc-static-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: glibc-2.17-55.el7_0.5.src.rpm
ppc64: glibc-2.17-55.el7_0.5.ppc.rpm glibc-2.17-55.el7_0.5.ppc64.rpm glibc-common-2.17-55.el7_0.5.ppc64.rpm glibc-debuginfo-2.17-55.el7_0.5.ppc.rpm glibc-debuginfo-2.17-55.el7_0.5.ppc64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.ppc.rpm glibc-debuginfo-common-2.17-55.el7_0.5.ppc64.rpm glibc-devel-2.17-55.el7_0.5.ppc.rpm glibc-devel-2.17-55.el7_0.5.ppc64.rpm glibc-headers-2.17-55.el7_0.5.ppc64.rpm glibc-utils-2.17-55.el7_0.5.ppc64.rpm nscd-2.17-55.el7_0.5.ppc64.rpm
s390x: glibc-2.17-55.el7_0.5.s390.rpm glibc-2.17-55.el7_0.5.s390x.rpm glibc-common-2.17-55.el7_0.5.s390x.rpm glibc-debuginfo-2.17-55.el7_0.5.s390.rpm glibc-debuginfo-2.17-55.el7_0.5.s390x.rpm glibc-debuginfo-common-2.17-55.el7_0.5.s390.rpm glibc-debuginfo-common-2.17-55.el7_0.5.s390x.rpm glibc-devel-2.17-55.el7_0.5.s390.rpm glibc-devel-2.17-55.el7_0.5.s390x.rpm glibc-headers-2.17-55.el7_0.5.s390x.rpm glibc-utils-2.17-55.el7_0.5.s390x.rpm nscd-2.17-55.el7_0.5.s390x.rpm
x86_64: glibc-2.17-55.el7_0.5.i686.rpm glibc-2.17-55.el7_0.5.x86_64.rpm glibc-common-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-devel-2.17-55.el7_0.5.i686.rpm glibc-devel-2.17-55.el7_0.5.x86_64.rpm glibc-headers-2.17-55.el7_0.5.x86_64.rpm glibc-utils-2.17-55.el7_0.5.x86_64.rpm nscd-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: glibc-debuginfo-2.17-55.el7_0.5.ppc.rpm glibc-debuginfo-2.17-55.el7_0.5.ppc64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.ppc.rpm glibc-debuginfo-common-2.17-55.el7_0.5.ppc64.rpm glibc-static-2.17-55.el7_0.5.ppc.rpm glibc-static-2.17-55.el7_0.5.ppc64.rpm
s390x: glibc-debuginfo-2.17-55.el7_0.5.s390.rpm glibc-debuginfo-2.17-55.el7_0.5.s390x.rpm glibc-debuginfo-common-2.17-55.el7_0.5.s390.rpm glibc-debuginfo-common-2.17-55.el7_0.5.s390x.rpm glibc-static-2.17-55.el7_0.5.s390.rpm glibc-static-2.17-55.el7_0.5.s390x.rpm
x86_64: glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-static-2.17-55.el7_0.5.i686.rpm glibc-static-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: glibc-2.17-55.el7_0.5.src.rpm
x86_64: glibc-2.17-55.el7_0.5.i686.rpm glibc-2.17-55.el7_0.5.x86_64.rpm glibc-common-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-devel-2.17-55.el7_0.5.i686.rpm glibc-devel-2.17-55.el7_0.5.x86_64.rpm glibc-headers-2.17-55.el7_0.5.x86_64.rpm glibc-utils-2.17-55.el7_0.5.x86_64.rpm nscd-2.17-55.el7_0.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: glibc-debuginfo-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm glibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm glibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm glibc-static-2.17-55.el7_0.5.i686.rpm glibc-static-2.17-55.el7_0.5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2015-0235 https://access.redhat.com/security/updates/classification/#critical
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFUx9bmXlSAg2UNWIIRAjP4AJ9/EPFLyhSuapG8Lie71zPk6VaF8wCfVAw2 VIBda0hF+i0zAuST73ezXzI= =w5UI -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/glibc-2.17-i486-10_slack14.1.txz: Rebuilt. This flaw could allow local or remote attackers to take control of a machine running a vulnerable version of glibc. Thanks to Qualys for discovering this issue (also known as the GHOST vulnerability.) For more information, see: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 ( Security fix ) patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz: Rebuilt. patches/packages/glibc-zoneinfo-2014j-noarch-1.txz: Upgraded. Upgraded to tzcode2014j and tzdata2014j. +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated packages for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-2.9-i486-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-i18n-2.9-i486-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-profile-2.9-i486-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-solibs-2.9-i486-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-2.9-x86_64-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-i18n-2.9-x86_64-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-profile-2.9-x86_64-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-solibs-2.9-x86_64-7_slack13.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-2.11.1-i486-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-i18n-2.11.1-i486-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-profile-2.11.1-i486-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-solibs-2.11.1-i486-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-2.11.1-x86_64-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-i18n-2.11.1-x86_64-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-profile-2.11.1-x86_64-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-solibs-2.11.1-x86_64-9_slack13.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-2.13-i486-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-i18n-2.13-i486-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-profile-2.13-i486-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-solibs-2.13-i486-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-2.13-x86_64-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-i18n-2.13-x86_64-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-profile-2.13-x86_64-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-solibs-2.13-x86_64-8_slack13.37.txz ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-2.15-i486-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-i18n-2.15-i486-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-profile-2.15-i486-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-solibs-2.15-i486-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-2.15-x86_64-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-i18n-2.15-x86_64-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-profile-2.15-x86_64-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-solibs-2.15-x86_64-9_slack14.0.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-2.17-i486-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-2.17-x86_64-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-i18n-2.17-x86_64-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-profile-2.17-x86_64-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-solibs-2.17-x86_64-10_slack14.1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz
Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-solibs-2.20-i486-2.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-zoneinfo-2014j-noarch-1.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-2.20-i486-2.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-i18n-2.20-i486-2.txz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-profile-2.20-i486-2.txz
Updated packages for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-solibs-2.20-x86_64-2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-zoneinfo-2014j-noarch-1.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-2.20-x86_64-2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-i18n-2.20-x86_64-2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-profile-2.20-x86_64-2.txz
MD5 signatures: +-------------+
Slackware 13.0 packages: 41402c65ebdef4b022c799131556ef7e glibc-2.9-i486-7_slack13.0.txz 7095e3cd743af0179ea14b9bff81e3f4 glibc-i18n-2.9-i486-7_slack13.0.txz 901d50b809ed84837ff45b2ca7838bb3 glibc-profile-2.9-i486-7_slack13.0.txz 421a711b7cf1be2df2421ae5cd50b217 glibc-solibs-2.9-i486-7_slack13.0.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware x86_64 13.0 packages: d4266628a8db63751f3f55b8bc2e2162 glibc-2.9-x86_64-7_slack13.0.txz b6161a0e23da771c5c6903605e49e403 glibc-i18n-2.9-x86_64-7_slack13.0.txz b8026d61e3849cce26539def0b665ca3 glibc-profile-2.9-x86_64-7_slack13.0.txz 1f7f4cf57d44d75d4ef2786152f33403 glibc-solibs-2.9-x86_64-7_slack13.0.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware 13.1 packages: 03e0d0224efe8bc794b5be0454612a1e glibc-2.11.1-i486-9_slack13.1.txz fabbdd8d7f14667c7a2dc7ede87b5510 glibc-i18n-2.11.1-i486-9_slack13.1.txz 1c1d86a9dabe329c3d30796188b66ebe glibc-profile-2.11.1-i486-9_slack13.1.txz e2ebe08bb02550c69202a6f973ef7e47 glibc-solibs-2.11.1-i486-9_slack13.1.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware x86_64 13.1 packages: c00de492a4842e3a86101028e8cc03f0 glibc-2.11.1-x86_64-9_slack13.1.txz 9657c55f39b233333e48d08acee9ed78 glibc-i18n-2.11.1-x86_64-9_slack13.1.txz ada2d7f7b7ffdfd7a4407696ad714e48 glibc-profile-2.11.1-x86_64-9_slack13.1.txz b3c393e74aafbb5276cea1217dfcd1aa glibc-solibs-2.11.1-x86_64-9_slack13.1.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware 13.37 packages: 16615e6ef8311b928e3a05e0b7f3e505 glibc-2.13-i486-8_slack13.37.txz 319dfc0cbdaf8410981195fffb1371c6 glibc-i18n-2.13-i486-8_slack13.37.txz 6964339495ab981d17ba27cd5878a400 glibc-profile-2.13-i486-8_slack13.37.txz 1834abd11fab02725e897040bbead56f glibc-solibs-2.13-i486-8_slack13.37.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware x86_64 13.37 packages: 1753003d261831ac235445e23a9f9870 glibc-2.13-x86_64-8_slack13.37.txz 8aa103984bb2cb293072a022dd9144f2 glibc-i18n-2.13-x86_64-8_slack13.37.txz a56e90a34eec8f60e265c45d05490a57 glibc-profile-2.13-x86_64-8_slack13.37.txz c6f684ea049e4091b96d15606eb454d1 glibc-solibs-2.13-x86_64-8_slack13.37.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware 14.0 packages: a2fadb666bfdf5c7c4c9792cbf34785d glibc-2.15-i486-9_slack14.0.txz 3b3626f4a170a603af36ca60c7840fa6 glibc-i18n-2.15-i486-9_slack14.0.txz ad237d138bb874e57c4080071d27e798 glibc-profile-2.15-i486-9_slack14.0.txz f07d37e52014cec80e43d883eda516ae glibc-solibs-2.15-i486-9_slack14.0.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware x86_64 14.0 packages: a5d02d71a230b6daa39d2ebefd8a6548 glibc-2.15-x86_64-9_slack14.0.txz 62c30b615e38ba63cafb8053383eabde glibc-i18n-2.15-x86_64-9_slack14.0.txz 152d094ab6bc4c7f763dd4ad1a53784c glibc-profile-2.15-x86_64-9_slack14.0.txz b256163bb179d1aebfda5f45270a0580 glibc-solibs-2.15-x86_64-9_slack14.0.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware 14.1 packages: 8f2fb91bb39d8a1db3bd6510295e6b1e glibc-2.17-i486-10_slack14.1.txz 8d179820a827a4dce028b57d3fa39237 glibc-i18n-2.17-i486-10_slack14.1.txz 19a4824c6ff8792a1166a38ceff824e0 glibc-profile-2.17-i486-10_slack14.1.txz 417dede2ae464059002b6fcc2048f942 glibc-solibs-2.17-i486-10_slack14.1.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware x86_64 14.1 packages: 490ce11a13439e30ff312769cc4fabb1 glibc-2.17-x86_64-10_slack14.1.txz cd145e0d6a12b15d5282d7d1b3de92ed glibc-i18n-2.17-x86_64-10_slack14.1.txz 93aea777dd41dc1c631dce1cf252bf14 glibc-profile-2.17-x86_64-10_slack14.1.txz 6b759039a5b3f8c88b3753e722ded78e glibc-solibs-2.17-x86_64-10_slack14.1.txz 61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz
Slackware -current packages: 395d4ad5fb71c4a56a500c3e51d07c8b a/glibc-solibs-2.20-i486-2.txz 61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz 3ca2827446e66d0d2d0e0bc8c55ba1ed l/glibc-2.20-i486-2.txz 94105b1a10c42ce0995f8ace6b4f06a8 l/glibc-i18n-2.20-i486-2.txz fcc2ad4f5aad3a7d704d708a170c5351 l/glibc-profile-2.20-i486-2.txz
Slackware x86_64 -current packages: 25129dd9dfed8a8e834c87ba40c1ef17 a/glibc-solibs-2.20-x86_64-2.txz 61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz b8ff5e308769d8e4eddccd9940058d5c l/glibc-2.20-x86_64-2.txz 8c3db9286aa93346d25ffad38178137b l/glibc-i18n-2.20-x86_64-2.txz 21f2a62d975b433f570cd5129cdc21fb l/glibc-profile-2.20-x86_64-2.txz
Installation instructions: +------------------------+
Upgrade the packages as root:
upgradepkg glibc-*
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. SEC Consult Vulnerability Lab Security Advisory < 20210901-0 > ======================================================================= title: Multiple vulnerabilities product: see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: see "Solution" CVE number: CVE-2021-39278, CVE-2021-39279 impact: High homepage: https://www.moxa.com/ found: 2020-08-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
"Together, We Create Change
Moxa is committed to making a positive impact around the world. We put our all behind this commitment--from our employees, to our products and supply chain.
In our local communities, we nurture and support the spirit of volunteering. We encourage our employees to contribute to community development, with an emphasis on ecology, education, and health.
In our products, we invest in social awareness programs and environment-friendly policies at every stage of the product lifecycle. We make sure our manufacturing meets the highest standards with regards to quality, ethics, and sustainability."
Source: https://www.moxa.com/en/about-us/corporate-responsibility
Business recommendation:
SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues.
Vulnerability overview/description:
1) Authenticated Command Injection (CVE-2021-39279) An authenticated command injection vulnerability can be triggered by issuing a GET request to the "/forms/web_importTFTP" CGI program which is available on the web interface. An attacker can abuse this vulnerability to compromise the operating system of the device. This issue was found by emulating the firmware of the device.
2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) Via a crafted config-file, a reflected cross-site scripting vulnerability can be exploited in the context of the victim's browser. This config-file can be uploaded to the device via the "Config Import Export" tab in the main menu. One of the discovered vulnerabilities (CVE-2015-0235, gethostbyname "GHOST" buffer overflow) was verified by using the MEDUSA scalable firmware runtime.
4) Multiple Outdated Software Components Multiple outdated software components containing vulnerabilities were found by the IoT Inspector.
The vulnerabilities 1), 2) and 3) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime.
Proof of concept:
1) Authenticated Command Injection (CVE-2021-39279) The vulnerability can be triggered by navigating in the web interface to the tab:
"Main Menu"->"Maintenance"->"Config Import Export"
The "TFTP Import" menu is prone to command injection via all parameters. To exploit the vulnerability, an IP address, a configuration path and a filename must be set. If the filename is used to trigger the exploit, the payload in the interceptor proxy would be:
http://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1&configPath=/&fileName=name|ping localhost -c 100
2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) The vulnerability can be triggered by navigating in the web interface to the tab:
"Main Menu"->"Maintenance"->"Config Import Export"
The "Config Import" menu is prone to reflected cross-site scripting via the upload of config files. Example of malicious config file:
[board] deviceName="WAC-2004_0000alert(document.cookie)" deviceLocation="" [..]
Uploading such a crafted file triggers cross-site scripting as the erroneous value is displayed without filtering characters.
The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system.
4) Multiple Outdated Software Components The IoT Inspector recognized multiple outdated software components with known vulnerabilities:
BusyBox 1.18.5 06/2011 Dropbear SSH 2011.54 11/2011 GNU glibc 2.9 02/2009 Linux Kernel 2.6.27 10/2008 OpenSSL 0.9.7g 04/2005 Only found in the program "iw_director" OpenSSL 1.0.0 03/2010
Vulnerable / tested versions:
The following firmware versions for various devices have been identified to be vulnerable: * WAC-2004 / 1.7 * WAC-1001 / 2.1 * WAC-1001-T / 2.1 * OnCell G3470A-LTE-EU / 1.7 * OnCell G3470A-LTE-EU-T / 1.7 * TAP-323-EU-CT-T / 1.3 * TAP-323-US-CT-T / 1.3 * TAP-323-JP-CT-T / 1.3 * WDR-3124A-EU / 2.3 * WDR-3124A-EU-T / 2.3 * WDR-3124A-US / 2.3 * WDR-3124A-US-T / 2.3
Vendor contact timeline:
2020-10-09: Contacting vendor through moxa.csrt@moxa.com. 2020-10-12: Contact sends PGP key for encrypted communication and asks for the detailed advisory. Sent encrypted advisory to vendor. 2020-11-06: Status update from vendor regarding technical analysis. Vendor requested more time for fixing the vulnerabilities as more products are affected. 2020-11-09: Granted more time for fixing to vendor. 2020-11-10: Vendor asked for next steps regarding the advisory publication. 2020-11-11: Asked vendor for an estimation when a public disclosure is possible. 2020-11-16: Vendor responded that the product team can give a rough feedback. 2020-11-25: Asked for a status update. 2020-11-25: Vendor responded that the investigation is not done yet. 2020-12-14: Vendor provided a list of potential affected devices and stated that full investigation may take until January 2021 due to the list of CVEs that were provided with the appended IoT Inspector report. The patches may be available until June 2021. 2020-12-15: Shifted next status update round with vendor on May 2021. 2020-12-23: Vendor provided full list of affected devices. 2021-02-05: Vendor sieved out the found issues from 4) manually and provided a full list of confirmed vulnerabilities. WAC-2004 phased-out in 2019. 2021-02-21: Confirmed receive of vulnerabilities, next status update in May 2021. 2021-06-10: Asking for an update. 2021-06-15: Vendor stated, that the update will be provided in the next days. 2021-06-21: Vendor will give an update in the next week as Covid gets worse in Taiwan. 2021-06-23: Vendor stated, that patches are under development. Vendor needs more time to finish the patches. 2021-06-24: Set release date to 2021-09-01. 2021-07-02: Vendor provides status updates. 2021-08-16: Vendor provides status updates. 2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. 2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. 2021-08-31: Vendor provides fixed firmware version numbers and the advisory links. 2021-09-01: Coordinated release of security advisory.
Solution:
According to the vendor the following patches must be applied to fix issues: * WAC-1001 / 2.1.5 * WAC-1001-T / 2.1.5 * OnCell G3470A-LTE-EU / 1.7.4 * OnCell G3470A-LTE-EU-T / 1.7.4 * TAP-323-EU-CT-T / 1.8.1 * TAP-323-US-CT-T / 1.8.1 * TAP-323-JP-CT-T / 1.8.1
The Moxa Technical Support must be contacted for requesting the security patches.
The corresponding security advisories for the affected devices are available on the vendor's website: TAP-323/WAC-1001/WAC-2004 https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities OnCell G3470A-LTE/WDR-3124A https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities
The following device models are EOL and should be replaced: * WAC-2004 * WDR-3124A-EU * WDR-3124A-EU-T * WDR-3124A-US * WDR-3124A-US-T
Workaround:
None.
Advisory URL:
https://sec-consult.com/vulnerability-lab/
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF Thomas Weber / @2021
. If Apache was manually enabled and the configuration was not changed, some files that should not be accessible might have been accessible using a specially crafted URL. This issue was addressed through the addition of a mechanism to trust only a subset of certificates issued prior to the mis-issuance of the intermediate. This issue, also known as Logjam, allowed an attacker with a privileged network position to downgrade security to 512-bit DH if the server supported an export-strength ephemeral DH cipher suite. The issue was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits. CVE-ID CVE-2015-3695 : Ian Beer of Google Project Zero CVE-2015-3696 : Ian Beer of Google Project Zero CVE-2015-3697 : Ian Beer of Google Project Zero CVE-2015-3698 : Ian Beer of Google Project Zero CVE-2015-3699 : Ian Beer of Google Project Zero CVE-2015-3700 : Ian Beer of Google Project Zero CVE-2015-3701 : Ian Beer of Google Project Zero CVE-2015-3702 : KEEN Team
ImageIO Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: Multiple vulnerabilities existed in libtiff, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libtiff versions prior to 4.0.4. CVE-ID CVE-2015-3661 : G. Geshev working with HP's Zero Day Initiative CVE-2015-3662 : kdot working with HP's Zero Day Initiative CVE-2015-3663 : kdot working with HP's Zero Day Initiative CVE-2015-3666 : Steven Seeley of Source Incite working with HP's Zero Day Initiative CVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs, Ryan Pentney, and Richard Johnson of Cisco Talos and Kai Lu of Fortinet's FortiGuard Labs CVE-2015-3668 : Kai Lu of Fortinet's FortiGuard Labs CVE-2015-3713 : Apple
Security Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the Security framework code for parsing S/MIME e-mail and some other signed or encrypted objects. CVE-ID CVE-2013-1741
Security Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.3 Impact: Tampered applications may not be prevented from launching Description: Apps using custom resource rules may have been susceptible to tampering that would not have invalidated the signature
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "communications policy management",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "9.9.1"
},
{
"_id": null,
"model": "exalogic infrastructure",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "2.0"
},
{
"_id": null,
"model": "communications webrtc session controller",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "7.0"
},
{
"_id": null,
"model": "exalogic infrastructure",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "1.0"
},
{
"_id": null,
"model": "communications policy management",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "9.7.3"
},
{
"_id": null,
"model": "communications eagle lnp application processor",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "10.0"
},
{
"_id": null,
"model": "security access manager for enterprise single sign-on",
"scope": "eq",
"trust": 1.3,
"vendor": "ibm",
"version": "8.2"
},
{
"_id": null,
"model": "communications eagle application processor",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "16.0"
},
{
"_id": null,
"model": "communications lsms",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "13.1"
},
{
"_id": null,
"model": "communications policy management",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "12.1.1"
},
{
"_id": null,
"model": "communications webrtc session controller",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "7.1"
},
{
"_id": null,
"model": "communications webrtc session controller",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "7.2"
},
{
"_id": null,
"model": "communications policy management",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "10.4.1"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 1.0,
"vendor": "ibm",
"version": "1.1.0.0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "7.0"
},
{
"_id": null,
"model": "php",
"scope": "gte",
"trust": 1.0,
"vendor": "php",
"version": "5.5.0"
},
{
"_id": null,
"model": "php",
"scope": "lt",
"trust": 1.0,
"vendor": "php",
"version": "5.4.38"
},
{
"_id": null,
"model": "virtualization",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"_id": null,
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.1"
},
{
"_id": null,
"model": "vm virtualbox",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "5.1.24"
},
{
"_id": null,
"model": "glibc",
"scope": "lt",
"trust": 1.0,
"vendor": "gnu",
"version": "2.18"
},
{
"_id": null,
"model": "communications user data repository",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "10.0.1"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"_id": null,
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.2.0"
},
{
"_id": null,
"model": "php",
"scope": "lt",
"trust": 1.0,
"vendor": "php",
"version": "5.6.6"
},
{
"_id": null,
"model": "communications session border controller",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "7.2.0"
},
{
"_id": null,
"model": "php",
"scope": "lt",
"trust": 1.0,
"vendor": "php",
"version": "5.5.22"
},
{
"_id": null,
"model": "communications policy management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.5"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 1.0,
"vendor": "ibm",
"version": "1.0.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "gte",
"trust": 1.0,
"vendor": "gnu",
"version": "2.0"
},
{
"_id": null,
"model": "php",
"scope": "gte",
"trust": 1.0,
"vendor": "php",
"version": "5.4.0"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "3.7.1"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 1.0,
"vendor": "ibm",
"version": "2.0.0.0"
},
{
"_id": null,
"model": "php",
"scope": "gte",
"trust": 1.0,
"vendor": "php",
"version": "5.6.0"
},
{
"_id": null,
"model": "communications user data repository",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "10.0.0"
},
{
"_id": null,
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.17"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.14.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.15"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.13"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.12"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.14"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.11.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.12.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.16"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.9,
"vendor": "gnu",
"version": "2.12.1"
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "arch linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "blue coat",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "citrix",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian gnu linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "gentoo linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "juniper",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "nec",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openwall gnu linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "suse linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "slackware linux",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ubuntu",
"version": null
},
{
"_id": null,
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "opensuse",
"version": null
},
{
"_id": null,
"model": "ubuntu",
"scope": null,
"trust": 0.8,
"vendor": "canonical",
"version": null
},
{
"_id": null,
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"_id": null,
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"_id": null,
"model": "embedded glibc",
"scope": "lt",
"trust": 0.8,
"vendor": "gnu",
"version": "2.14"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"_id": null,
"model": "edge digital media player",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "3000"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7835"
},
{
"_id": null,
"model": "aura collaboration environment",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "3.0"
},
{
"_id": null,
"model": "enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "1.5.2.0"
},
{
"_id": null,
"model": "big-ip wom hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "datapower gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.2"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7225"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.5"
},
{
"_id": null,
"model": "telepresence video communication server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "infosphere guardium",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.2"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "6"
},
{
"_id": null,
"model": "sparc enterprise m5000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1118"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.40"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.4"
},
{
"_id": null,
"model": "fortimanager",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "point software security gateway r75.20.4",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "80"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.3"
},
{
"_id": null,
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "ios-xe for catalyst air-ct5760",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "sinumerik 840d sl",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "4.7"
},
{
"_id": null,
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "big-ip gtm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11"
},
{
"_id": null,
"model": "big-ip apm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "5890"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.1.1"
},
{
"_id": null,
"model": "big-ip webaccelerator hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.5"
},
{
"_id": null,
"model": "fortiauthenticator",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "big-ip gtm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.10.1"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.1.0"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.4"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7"
},
{
"_id": null,
"model": "enterprise linux es",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.1"
},
{
"_id": null,
"model": "big-ip link controller hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "one-x client enablement services sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "platform director",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "2.0"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)4.2"
},
{
"_id": null,
"model": "ds8870",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"_id": null,
"model": "ace application control engine module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "meeting exchange sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.1"
},
{
"_id": null,
"model": "asr series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50000"
},
{
"_id": null,
"model": "point software secureplatform os r76",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.5"
},
{
"_id": null,
"model": "operations manager i",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "10.00"
},
{
"_id": null,
"model": "edge digital media player",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "3400"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "1.0"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "point software security management r71.30",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "point software gaia os r75.0",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "hunk",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.1"
},
{
"_id": null,
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"_id": null,
"model": "workload deployer",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.16"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.16"
},
{
"_id": null,
"model": "intelligent automation for cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "jabber guest",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "10.0(2)"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.7"
},
{
"_id": null,
"model": "big-iq device",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.5"
},
{
"_id": null,
"model": "platform director",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "big-iq device",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"_id": null,
"model": "enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.2"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.0.0"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "fortiswitch",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "smart analytics system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "77009.7"
},
{
"_id": null,
"model": "mobility software",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "6.5.3.0"
},
{
"_id": null,
"model": "big-ip edge gateway 11.1.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "aura conferencing standard",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "big-ip asm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "point software secureplatform r60 hfa 05",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.1"
},
{
"_id": null,
"model": "system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x0"
},
{
"_id": null,
"model": "linux i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"_id": null,
"model": "aura communication manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.1"
},
{
"_id": null,
"model": "one-x client enablement services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "fs1-2 flash storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.3"
},
{
"_id": null,
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "integrated lights out manager",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.2.4"
},
{
"_id": null,
"model": "telepresence te software",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "-0"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.3"
},
{
"_id": null,
"model": "ascenlink 7.1-b5745",
"scope": null,
"trust": 0.3,
"vendor": "fortinet",
"version": null
},
{
"_id": null,
"model": "linux enterprise software development kit sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "big-ip edge gateway hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "7"
},
{
"_id": null,
"model": "big-ip apm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.3"
},
{
"_id": null,
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.6"
},
{
"_id": null,
"model": "smartcloud provisioning",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1"
},
{
"_id": null,
"model": "qradar risk manager mr2 patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.19"
},
{
"_id": null,
"model": "operation agent virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "11.14"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.9"
},
{
"_id": null,
"model": "videoscape distribution suite transparent caching",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "api management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.0"
},
{
"_id": null,
"model": "aura system platform sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "flex system ib6131 40gb infiniband switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.4"
},
{
"_id": null,
"model": "big-ip ltm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "1"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.1.0"
},
{
"_id": null,
"model": "fs1-2 flash storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.2"
},
{
"_id": null,
"model": "point software secureplatform r65 hfa02",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "xiv storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.5.1"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "9393"
},
{
"_id": null,
"model": "xiv storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.4.1"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.1"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "business server",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "1"
},
{
"_id": null,
"model": "realpresence resource manager",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "8.3.1"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "5855"
},
{
"_id": null,
"model": "sparc enterprise m5000",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "point software security gateway r75.46",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "xiv storage system a",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.3"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.4"
},
{
"_id": null,
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "webex meetings server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.5"
},
{
"_id": null,
"model": "ruggedcom ape",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "14040"
},
{
"_id": null,
"model": "point software security management r75.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "app for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "3.1.3"
},
{
"_id": null,
"model": "aura experience portal",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "alienvault",
"scope": "ne",
"trust": 0.3,
"vendor": "alienvault",
"version": "4.15.1"
},
{
"_id": null,
"model": "integrated lights out manager",
"scope": "ne",
"trust": 0.3,
"vendor": "oracle",
"version": "3.2.6"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "9303"
},
{
"_id": null,
"model": "workload deployer",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.0.1"
},
{
"_id": null,
"model": "operations analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.1"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "meeting exchange sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.0"
},
{
"_id": null,
"model": "big-ip apm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "icewall sso dfw r1",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "8.0"
},
{
"_id": null,
"model": "aura application server sip core",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "big-ip ltm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.0.0.52"
},
{
"_id": null,
"model": "big-ip webaccelerator hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "point software gaia os r75.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.3"
},
{
"_id": null,
"model": "ctpview",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "aura communication manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.3.0.3"
},
{
"_id": null,
"model": "ip office application server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.0"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.4"
},
{
"_id": null,
"model": "communications application session controller 3.7.1m0",
"scope": null,
"trust": 0.3,
"vendor": "oracle",
"version": null
},
{
"_id": null,
"model": "fortimail",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.2"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.2"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.6"
},
{
"_id": null,
"model": "point software secureplatform os r77.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "cms r17ac.h",
"scope": null,
"trust": 0.3,
"vendor": "avaya",
"version": null
},
{
"_id": null,
"model": "alienvault",
"scope": "eq",
"trust": 0.3,
"vendor": "alienvault",
"version": "4.13"
},
{
"_id": null,
"model": "point software gaia os r77.0",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.1.1"
},
{
"_id": null,
"model": "flex system en6131 40gb ethernet switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.4"
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.0"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)4.3"
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "2.1"
},
{
"_id": null,
"model": "cloudaxis wsp",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "telepresence tx series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "90000"
},
{
"_id": null,
"model": "mds 9222i multilayer fabric switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.1"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "alienvault",
"scope": "eq",
"trust": 0.3,
"vendor": "alienvault",
"version": "4.12"
},
{
"_id": null,
"model": "rss",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "40000"
},
{
"_id": null,
"model": "mds multilayer director",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "95060"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"_id": null,
"model": "mds 9250i multilayer fabric switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.2"
},
{
"_id": null,
"model": "unified sip proxy",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.6"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "real-time compression appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.9"
},
{
"_id": null,
"model": "qradar siem mr2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.40"
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.4"
},
{
"_id": null,
"model": "aura communication manager ssp04",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.1"
},
{
"_id": null,
"model": "datapower gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.4"
},
{
"_id": null,
"model": "integrated lights out manager",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "big-ip ltm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip analytics hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.31"
},
{
"_id": null,
"model": "big-ip link controller hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "ruggedcom ape1404-c01",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.8"
},
{
"_id": null,
"model": "point software security gateway r71.00",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "80"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "1.1"
},
{
"_id": null,
"model": "prime optical for sps",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.2"
},
{
"_id": null,
"model": "manycore platform software stack",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "3.4.3"
},
{
"_id": null,
"model": "ds8870",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.3"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.19"
},
{
"_id": null,
"model": "ruggedcom ape 1402-c01",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "0"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "operations analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.0"
},
{
"_id": null,
"model": "big-ip link controller hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "mac os security update",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x2015"
},
{
"_id": null,
"model": "big-ip edge gateway 10.2.3-hf1",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.3"
},
{
"_id": null,
"model": "distributed media application",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "6.2.1"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.1"
},
{
"_id": null,
"model": "sparc enterprise m4000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1118"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2"
},
{
"_id": null,
"model": "aura application server sip core pb23",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.1"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "linux enterprise server sp3 for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "8700"
},
{
"_id": null,
"model": "big-ip asm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "helion application lifecycle service for linux",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "1.0.1.11"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "5"
},
{
"_id": null,
"model": "ethernet switch es2-64",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1.9.1"
},
{
"_id": null,
"model": "big-ip ltm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.14"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.0"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.20"
},
{
"_id": null,
"model": "smart call home",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "point software secureplatform r65.70",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.4"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.3"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.1"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "show and share",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "qradar vulnerability manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.4"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "communications user data repository",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "10.0"
},
{
"_id": null,
"model": "secure acs",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.446.5"
},
{
"_id": null,
"model": "mmp server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "one-x client enablement services sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "point software security gateway r75.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.5"
},
{
"_id": null,
"model": "security network protection",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.2.0"
},
{
"_id": null,
"model": "sunstone xrv-64 vrp",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.10"
},
{
"_id": null,
"model": "point software gaia os r77.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.2.2"
},
{
"_id": null,
"model": "mds fiber channel switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "meeting exchange sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.0"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "physical access manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.0"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2.3"
},
{
"_id": null,
"model": "sun blade ethernet switched nem 24p 10ge",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "60000"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.4.11"
},
{
"_id": null,
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "unified communications manager im and presence service",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "nexus series switches",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "30000"
},
{
"_id": null,
"model": "point software security management r70.40",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip gtm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "aura experience portal sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "ethernet switch es2-72",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1.9.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.4"
},
{
"_id": null,
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"_id": null,
"model": "security proventia network enterprise scanner",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.3"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.5.0"
},
{
"_id": null,
"model": "powerkvm",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1"
},
{
"_id": null,
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "big-ip ltm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0"
},
{
"_id": null,
"model": "mds series multilayer switches",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "90000"
},
{
"_id": null,
"model": "aura conferencing sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.0"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "big-ip analytics hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "ne",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "ace application control engine module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "300"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.3"
},
{
"_id": null,
"model": "big-ip gtm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "video border proxy",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.3"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.7.8.0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.10"
},
{
"_id": null,
"model": "sdn for virtual environments",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2.2"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.3"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11"
},
{
"_id": null,
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11.2"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.2"
},
{
"_id": null,
"model": "ios-xe for asr1k",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "smart analytics system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "77109.7"
},
{
"_id": null,
"model": "point software vsx r67",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "meeting exchange sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "big-ip link controller hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "enterprise linux desktop client",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.4.1"
},
{
"_id": null,
"model": "big-ip edge gateway 11.0.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "small cell factory recovery root filesystem",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.99.4"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "point software security gateway r75.45",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-iq device",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.1"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.4.0.5"
},
{
"_id": null,
"model": "websphere datapower xc10 appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.5"
},
{
"_id": null,
"model": "big-ip edge gateway hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "security privileged identity manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.0.1.1"
},
{
"_id": null,
"model": "fortisanbbox",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "aura session manager sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "point software gaia os r76.0",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "aura communication manager utility services sp",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.16.1.0.9.8"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.4"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.5"
},
{
"_id": null,
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.0"
},
{
"_id": null,
"model": "videoscape back office",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7845"
},
{
"_id": null,
"model": "iq",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.2"
},
{
"_id": null,
"model": "xiv storage system 10.2.4.e-7",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2810"
},
{
"_id": null,
"model": "point software security gateway r71.45",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)4.1"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.1"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.6"
},
{
"_id": null,
"model": "mds fabric switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "91240"
},
{
"_id": null,
"model": "aura presence services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "rss",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "40008.5.3"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "big-ip ltm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50200"
},
{
"_id": null,
"model": "digital media manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "sinumerik 828d",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "4.7"
},
{
"_id": null,
"model": "aura presence services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.2"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.5"
},
{
"_id": null,
"model": "ip office server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "9.0"
},
{
"_id": null,
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "point software gaia os r71.0",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.2.2"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"_id": null,
"model": "cms r17 r4",
"scope": null,
"trust": 0.3,
"vendor": "avaya",
"version": null
},
{
"_id": null,
"model": "infosphere guardium",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.1"
},
{
"_id": null,
"model": "ascenlink 7.1-b5599",
"scope": null,
"trust": 0.3,
"vendor": "fortinet",
"version": null
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.2.1"
},
{
"_id": null,
"model": "qradar siem patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.34"
},
{
"_id": null,
"model": "sparc enterprise m9000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1117"
},
{
"_id": null,
"model": "big-ip asm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "capture server",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "2.0"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0.0"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.0"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.4.0.15"
},
{
"_id": null,
"model": "cloudaxis wsp",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "1.7"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "3.1.11"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.1"
},
{
"_id": null,
"model": "fortirecorder",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "1.4.1"
},
{
"_id": null,
"model": "big-ip gtm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.41"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.4"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7855"
},
{
"_id": null,
"model": "sdn for virtual environments",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.0"
},
{
"_id": null,
"model": "big-ip apm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.5"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "big-ip wom hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "telepresence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "13000"
},
{
"_id": null,
"model": "prime infrastructure plug and play gateway server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.3.1"
},
{
"_id": null,
"model": "big-ip asm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "capture server",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "3.1"
},
{
"_id": null,
"model": "fortiadc-d",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "ace \u0026 application control engine module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "10200"
},
{
"_id": null,
"model": "sparc enterprise m4000",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "smart analytics system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "76009.7"
},
{
"_id": null,
"model": "qradar siem patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.41"
},
{
"_id": null,
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "opensuse",
"version": "12.3"
},
{
"_id": null,
"model": "mds fabric switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "91340"
},
{
"_id": null,
"model": "telepresence exchange system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.0"
},
{
"_id": null,
"model": "cms r17",
"scope": null,
"trust": 0.3,
"vendor": "avaya",
"version": null
},
{
"_id": null,
"model": "sun data center infiniband switch",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "360"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.2"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.8.2.0"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"_id": null,
"model": "fortivoice 200d",
"scope": null,
"trust": 0.3,
"vendor": "fortinet",
"version": null
},
{
"_id": null,
"model": "communications session border controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.4"
},
{
"_id": null,
"model": "messagesight",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.4"
},
{
"_id": null,
"model": "aura application server sip core pb28",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "5845"
},
{
"_id": null,
"model": "hunk",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.0"
},
{
"_id": null,
"model": "sdn for virtual environments",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "4"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.3.1"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"_id": null,
"model": "big-ip link controller hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "telepresence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "500-37"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.0"
},
{
"_id": null,
"model": "as infinity",
"scope": "ne",
"trust": 0.3,
"vendor": "pexip",
"version": "8.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.2"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "big-ip edge gateway hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"_id": null,
"model": "telepresence system series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "30000"
},
{
"_id": null,
"model": "manycore platform software stack",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "3.4"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1.0"
},
{
"_id": null,
"model": "datapower gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.1.7"
},
{
"_id": null,
"model": "big-ip webaccelerator hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "meeting exchange sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2"
},
{
"_id": null,
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.2"
},
{
"_id": null,
"model": "point software security gateway r76",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "ios-xe for catalyst 4k",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "one-x client enablement services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.2"
},
{
"_id": null,
"model": "point software secureplatform r71.30",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "linux lts amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"_id": null,
"model": "linux enterprise server sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "realpresence resource manager",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "fujitsu m10-4 server xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "2230"
},
{
"_id": null,
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "1.0.2"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.44"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0"
},
{
"_id": null,
"model": "point software secureplatform os r75.40vs",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "nexus series switches",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "70000"
},
{
"_id": null,
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.2.2"
},
{
"_id": null,
"model": "aura application enablement services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "big-ip wom hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "telepresence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "1000"
},
{
"_id": null,
"model": "onepk all-in-one vm",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "point software security gateway r77",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.5"
},
{
"_id": null,
"model": "point software secureplatform os r75.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip link controller hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "sun network 10ge switch 72p",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "prime network service controller",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "message networking sp4",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "xiv storage system a",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.4.1"
},
{
"_id": null,
"model": "ucs manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "infosphere guardium",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0"
},
{
"_id": null,
"model": "big-ip edge gateway hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "alienvault",
"scope": "eq",
"trust": 0.3,
"vendor": "alienvault",
"version": "4.12.1"
},
{
"_id": null,
"model": "fortirecorder",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "1.5"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.4"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "point software security gateway r75.40 vs",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "message networking sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "aura conferencing",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.0"
},
{
"_id": null,
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.4.1"
},
{
"_id": null,
"model": "prime data center network manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.1"
},
{
"_id": null,
"model": "unified communications manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.0"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.5.0.15"
},
{
"_id": null,
"model": "network performance analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "communication server 1000e signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.6"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2"
},
{
"_id": null,
"model": "ios-xe for asr903",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip webaccelerator hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)5.0"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.3.1"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.3.4"
},
{
"_id": null,
"model": "hunk",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.2"
},
{
"_id": null,
"model": "aura system manager sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "mobility software",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "6.4.3.0"
},
{
"_id": null,
"model": "ace series application control engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "47000"
},
{
"_id": null,
"model": "webex node",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "websphere datapower xc10 appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1"
},
{
"_id": null,
"model": "big-ip wom hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "nexus series switches",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50000"
},
{
"_id": null,
"model": "big-ip analytics 11.0.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "junos space",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"_id": null,
"model": "icewall sso dfw r2",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "8.0"
},
{
"_id": null,
"model": "agent desktop for cisco unified contact center express",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip afm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.3"
},
{
"_id": null,
"model": "one-x client enablement services sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "ios-xe for isr4400",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "point software gaia os r70.0",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2.1.0"
},
{
"_id": null,
"model": "point software gaia os r75.47",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "ip office server edition",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.2"
},
{
"_id": null,
"model": "qradar siem mr2 patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.18"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.7.3.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.6"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.6"
},
{
"_id": null,
"model": "big-ip asm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "unified communications manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "9.0"
},
{
"_id": null,
"model": "point software security gateway r77.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.1.0"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "one-x client enablement services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "message networking sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "communication server 1000m",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.6"
},
{
"_id": null,
"model": "cms r17 r3",
"scope": null,
"trust": 0.3,
"vendor": "avaya",
"version": null
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.2"
},
{
"_id": null,
"model": "workload deployer",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.17"
},
{
"_id": null,
"model": "big-ip analytics hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7220"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.3.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.16"
},
{
"_id": null,
"model": "big-ip analytics hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.2"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.1"
},
{
"_id": null,
"model": "puredata system for operational analytics a1791",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.0"
},
{
"_id": null,
"model": "sdn for virtual environments",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.3"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.4.12"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.13"
},
{
"_id": null,
"model": "hyper-scale manager virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "0"
},
{
"_id": null,
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "big-ip edge gateway hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.4"
},
{
"_id": null,
"model": "big-ip apm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.42"
},
{
"_id": null,
"model": "dcm series 9900-digital content manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.16"
},
{
"_id": null,
"model": "communication server 1000m signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.6"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.3.8.3"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.1"
},
{
"_id": null,
"model": "aura application server sip core pb5",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53003.0"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2.1.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.10"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "5"
},
{
"_id": null,
"model": "communication server 1000e",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.6"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.9"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.2.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "3.1.9"
},
{
"_id": null,
"model": "big-ip ltm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "uc phones",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "??vvx0"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.3.9.3"
},
{
"_id": null,
"model": "realpresence collaboration server hotfix",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "8.4.2"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.2.0"
},
{
"_id": null,
"model": "point software security gateway r75",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "point software secureplatform",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "2.60"
},
{
"_id": null,
"model": "point software security gateway r75.20",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "80"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.1"
},
{
"_id": null,
"model": "smartcloud provisioning",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1.0.1"
},
{
"_id": null,
"model": "aura application server sip core pb19",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.14"
},
{
"_id": null,
"model": "icewall sso dfw",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "8.0"
},
{
"_id": null,
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "security privileged identity manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.0"
},
{
"_id": null,
"model": "meeting exchange",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2"
},
{
"_id": null,
"model": "aura system manager sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "5.0"
},
{
"_id": null,
"model": "business server",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "1x8664"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "point software security gateway r71.45",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "80"
},
{
"_id": null,
"model": "point software security management r71.40",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.10"
},
{
"_id": null,
"model": "big-ip apm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.6.1"
},
{
"_id": null,
"model": "aura collaboration environment",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "2.0"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.1"
},
{
"_id": null,
"model": "point software secureplatform os r75",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "manycore platform software stack",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "3.2"
},
{
"_id": null,
"model": "ip office application server sp",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "9.01"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1.0"
},
{
"_id": null,
"model": "point software multi-domain management/provider-1",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.43"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.7"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.4"
},
{
"_id": null,
"model": "webex meeting center",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0"
},
{
"_id": null,
"model": "big-ip edge gateway 11.1.0-hf3",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "mds director",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "97060"
},
{
"_id": null,
"model": "big-ip asm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2.2"
},
{
"_id": null,
"model": "aura conferencing",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.2"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"_id": null,
"model": "sun network qdr infiniband gateway switch",
"scope": "ne",
"trust": 0.3,
"vendor": "oracle",
"version": "2.2.2"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "point software secureplatform os r77.10",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.1.1"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"_id": null,
"model": "qradar risk manager mr2 patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.18"
},
{
"_id": null,
"model": "hosted collaboration mediation fulfillment",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip link controller hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "mint",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "0"
},
{
"_id": null,
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0"
},
{
"_id": null,
"model": "big-ip ltm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "unified communications manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "10.00"
},
{
"_id": null,
"model": "application networking manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "fortivoice",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "3.0"
},
{
"_id": null,
"model": "standalone rack server cimc",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "socialminer",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.3"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "3"
},
{
"_id": null,
"model": "sparc enterprise m8000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1117"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.15"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.2.1"
},
{
"_id": null,
"model": "big-ip apm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "webex meetings server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.0"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2.1"
},
{
"_id": null,
"model": "aura communication manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.8"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.4"
},
{
"_id": null,
"model": "ascenlink",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "7.0"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.2.0"
},
{
"_id": null,
"model": "big-ip gtm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.3.2"
},
{
"_id": null,
"model": "sinumerik 808d",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "4.7"
},
{
"_id": null,
"model": "ruggedcom ape",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "14020"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.0"
},
{
"_id": null,
"model": "ace application control engine module ace20",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip link controller hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "point software security management r65.70",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.112"
},
{
"_id": null,
"model": "meetingplace",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": "ip office application server sp",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "9.02"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.15"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.1"
},
{
"_id": null,
"model": "helion application lifecycle service for linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "1.0.1.10"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.4"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.3"
},
{
"_id": null,
"model": "aura experience portal",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.2"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.8.1.0"
},
{
"_id": null,
"model": "security network protection",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"_id": null,
"model": "matrix operating environment",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "0"
},
{
"_id": null,
"model": "big-ip wom hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "aura application server sip core pb3",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53003.0"
},
{
"_id": null,
"model": "point software secureplatform r75",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "nexus series fex",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "20000"
},
{
"_id": null,
"model": "telepresence sx series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"_id": null,
"model": "digital media player",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "44000"
},
{
"_id": null,
"model": "operation agent virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "11.13"
},
{
"_id": null,
"model": "communication server 1000m",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.4"
},
{
"_id": null,
"model": "content sharing suite client/server",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "5875"
},
{
"_id": null,
"model": "point software secureplatform os r75.40",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.7.9.0"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "aura application server sip core pb26",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.6.0"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.01"
},
{
"_id": null,
"model": "linux lts i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.3"
},
{
"_id": null,
"model": "ctp",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.2.1"
},
{
"_id": null,
"model": "sparc enterprise m3000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1117"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0"
},
{
"_id": null,
"model": "pureapplication system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "distributed media application",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "6.1.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.1.1"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.2.0"
},
{
"_id": null,
"model": "ios-xe for catalyst 3k",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "sparc enterprise m3000",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "big-ip asm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.2"
},
{
"_id": null,
"model": "qradar vulnerability manager patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.43"
},
{
"_id": null,
"model": "xiv storage system 10.2.4.e-6",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2810"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "7830"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.4"
},
{
"_id": null,
"model": "ace application control engine module ace10",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip analytics hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "6.1"
},
{
"_id": null,
"model": "aura presence services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "expressway series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "aura experience portal sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "big-ip gtm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.1"
},
{
"_id": null,
"model": "big-ip webaccelerator hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50100"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.2"
},
{
"_id": null,
"model": "hdx",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "3.1.7"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.3.0"
},
{
"_id": null,
"model": "telepresence recording server",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "point software secureplatform os r75.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "enterprise linux as",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "4"
},
{
"_id": null,
"model": "big-ip gtm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.0"
},
{
"_id": null,
"model": "aura presence services sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "big-ip link controller 11.1.0-hf3",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "prime infrastructure",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.2"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "8900"
},
{
"_id": null,
"model": "aura presence services sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.3"
},
{
"_id": null,
"model": "sparc enterprise m9000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1118"
},
{
"_id": null,
"model": "aura system manager sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "linux enterprise server sp4 ltss",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "10"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0.5"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.3"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.3.2"
},
{
"_id": null,
"model": "big-ip link controller hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.3"
},
{
"_id": null,
"model": "aura system manager sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "communications session border controller 7.2.0m4",
"scope": "ne",
"trust": 0.3,
"vendor": "oracle",
"version": null
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.2"
},
{
"_id": null,
"model": "fujitsu m10-4s server xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "2230"
},
{
"_id": null,
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "big-ip asm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.11"
},
{
"_id": null,
"model": "communication server 1000m signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "aura experience portal",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "linux enterprise desktop sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "fs1-2 flash storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.1"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.40"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.7.7.0"
},
{
"_id": null,
"model": "powervu d9190 conditional access manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "identity services engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.1"
},
{
"_id": null,
"model": "unified communications manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "8.0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.1"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1.0"
},
{
"_id": null,
"model": "communication server 1000e",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "glibc",
"scope": "ne",
"trust": 0.3,
"vendor": "gnu",
"version": "2.18"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.2"
},
{
"_id": null,
"model": "flex system ib6131 40gb infiniband switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.4.1110"
},
{
"_id": null,
"model": "webex meetings server base",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "2.5"
},
{
"_id": null,
"model": "point software vsx",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "0"
},
{
"_id": null,
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "12.3"
},
{
"_id": null,
"model": "aura session manager sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.115"
},
{
"_id": null,
"model": "connected grid routers",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip edge gateway 11.0.0-hf1",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "webex meetings server 2.0mr2",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.13"
},
{
"_id": null,
"model": "aura conferencing sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.0"
},
{
"_id": null,
"model": "ds8870",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"_id": null,
"model": "telepresence integrator c series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura presence services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.9"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.5"
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "2.2"
},
{
"_id": null,
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "operation agent virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "11.12"
},
{
"_id": null,
"model": "point software gaia os r75.40",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "ios-xe for csr1000v",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.10"
},
{
"_id": null,
"model": "point software gaia os r75.45",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.5"
},
{
"_id": null,
"model": "realpresence collaboration server",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "5865"
},
{
"_id": null,
"model": "workload deployer",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.11"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"_id": null,
"model": "mds multiplayer director",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "95130"
},
{
"_id": null,
"model": "point software security gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "0"
},
{
"_id": null,
"model": "big-ip apm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.1.2"
},
{
"_id": null,
"model": "enterprise manager 2.1.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "aura session manager sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "9302"
},
{
"_id": null,
"model": "smartcloud provisioning",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.13"
},
{
"_id": null,
"model": "big-ip analytics hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.1"
},
{
"_id": null,
"model": "security access manager for web",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.02"
},
{
"_id": null,
"model": "aura presence services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.1"
},
{
"_id": null,
"model": "ds8870",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"_id": null,
"model": "linux enterprise server sp1 ltss",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.0"
},
{
"_id": null,
"model": "ip office application server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "8.1"
},
{
"_id": null,
"model": "network analysis module",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "fortianalyzer",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "glibc",
"scope": "ne",
"trust": 0.3,
"vendor": "gnu",
"version": "2.19"
},
{
"_id": null,
"model": "big-ip asm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "point software secureplatform os r75.46",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "manycore platform software stack",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "3.3"
},
{
"_id": null,
"model": "qradar risk manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.4"
},
{
"_id": null,
"model": "ios-xe for catalyst 3k 4k",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": "point software secureplatform os r75.45",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "datapower gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.0.11"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "1.2"
},
{
"_id": null,
"model": "sun network qdr infiniband gateway switch",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "point software secureplatform r70.40",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "prime infrastructure",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "point software gaia os r75.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "4"
},
{
"_id": null,
"model": "big-ip link controller 11.1.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"_id": null,
"model": "point software gaia os r75.46",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.5"
},
{
"_id": null,
"model": "flex system en6131 40gb ethernet switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.4.1110"
},
{
"_id": null,
"model": "point software secureplatform os r75.30",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.4"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.2"
},
{
"_id": null,
"model": "real-time compression appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.8"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.1"
},
{
"_id": null,
"model": "big-ip webaccelerator hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.10"
},
{
"_id": null,
"model": "xiv storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.3.1"
},
{
"_id": null,
"model": "aura session manager sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "telepresence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "500-32"
},
{
"_id": null,
"model": "communications application session controller",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.7"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "6655"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.4.0"
},
{
"_id": null,
"model": "telepresence ex series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "wireless security gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.8"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "3.1.10"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.8"
},
{
"_id": null,
"model": "security identity manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"_id": null,
"model": "xiv storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.4"
},
{
"_id": null,
"model": "point software vsx r65.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "qradar risk manager patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.43"
},
{
"_id": null,
"model": "aura conferencing sp7",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.2"
},
{
"_id": null,
"model": "switch es1-24",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1.3"
},
{
"_id": null,
"model": "aura communication manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.0"
},
{
"_id": null,
"model": "alienvault",
"scope": "eq",
"trust": 0.3,
"vendor": "alienvault",
"version": "4.15"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.8"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.1"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "mds 9148s switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2.1.0.9"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "messagesight",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "aura application server sip core sp10",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53003.0"
},
{
"_id": null,
"model": "ios-xr for cisco network convergence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60000"
},
{
"_id": null,
"model": "big-ip apm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "xiv storage system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "281011.3"
},
{
"_id": null,
"model": "mobility software",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "6.4.0.0"
},
{
"_id": null,
"model": "digital media player",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "43100"
},
{
"_id": null,
"model": "ace application control engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "47000"
},
{
"_id": null,
"model": "colorqube",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "9301"
},
{
"_id": null,
"model": "aura application server sip core",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53003.0"
},
{
"_id": null,
"model": "aura application server sip core pb25",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "aura application server sip core sp10",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.4"
},
{
"_id": null,
"model": "operation agent virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "11.11"
},
{
"_id": null,
"model": "sun data center infiniband switch",
"scope": "ne",
"trust": 0.3,
"vendor": "oracle",
"version": "362.2.2"
},
{
"_id": null,
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.4"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)4.4"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.20"
},
{
"_id": null,
"model": "mds director",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "97100"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "36550"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6"
},
{
"_id": null,
"model": "aura experience portal",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.1"
},
{
"_id": null,
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.1"
},
{
"_id": null,
"model": "big-ip analytics hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "icewall sso dfw r3",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "8.0"
},
{
"_id": null,
"model": "videoscape conductor",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2.5"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.5"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"_id": null,
"model": "one-x client enablement services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.1"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.41"
},
{
"_id": null,
"model": "as infinity",
"scope": "eq",
"trust": 0.3,
"vendor": "pexip",
"version": "8"
},
{
"_id": null,
"model": "aura messaging",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1.0"
},
{
"_id": null,
"model": "big-ip asm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "websphere transformation extender",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.4.10"
},
{
"_id": null,
"model": "hdx",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "integrated lights out manager",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "3.2.3"
},
{
"_id": null,
"model": "big-ip ltm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "telepresence",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "13100"
},
{
"_id": null,
"model": "point software security management",
"scope": "eq",
"trust": 0.3,
"vendor": "check",
"version": "0"
},
{
"_id": null,
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0"
},
{
"_id": null,
"model": "point software secureplatform os r75.47",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.5"
},
{
"_id": null,
"model": "security network intrusion prevention system",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "aura system platform sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "big-ip analytics hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "cms r17ac.g",
"scope": null,
"trust": 0.3,
"vendor": "avaya",
"version": null
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1"
},
{
"_id": null,
"model": "telepresence conductor",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "2.3"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.4.3.0"
},
{
"_id": null,
"model": "uc phones",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "??vvx5.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.2"
},
{
"_id": null,
"model": "d9036 modular encoding platform",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "smartcloud provisioning",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.12"
},
{
"_id": null,
"model": "mds multilayer director",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "95090"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "3.1.12"
},
{
"_id": null,
"model": "aura conferencing",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.0"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.5.2"
},
{
"_id": null,
"model": "qradar siem patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.43"
},
{
"_id": null,
"model": "real-time compression appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.1"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.32"
},
{
"_id": null,
"model": "content security appliance updater servers",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "aura system platform sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "qradar siem",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.3"
},
{
"_id": null,
"model": "point software gaia os r77.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip gtm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"_id": null,
"model": "sparc enterprise m4000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1117"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11.3"
},
{
"_id": null,
"model": "multicast manager",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "point software security management r75.20",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip ltm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "websphere cast iron cloud integration",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.0.1"
},
{
"_id": null,
"model": "big-ip apm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"_id": null,
"model": "big-ip wom hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.5"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "traffix-sdc",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.3.2"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.1"
},
{
"_id": null,
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.5"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.2.3"
},
{
"_id": null,
"model": "unified communications manager session management edition",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "one-x client enablement services sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.2.1"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"_id": null,
"model": "operations analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.1"
},
{
"_id": null,
"model": "big-ip analytics hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "point software secureplatform os r77",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "aura communication manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.1"
},
{
"_id": null,
"model": "security privileged identity manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.0.1"
},
{
"_id": null,
"model": "sparc enterprise m8000",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "security identity governance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.1"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "forticache",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "qradar risk manager mr2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"_id": null,
"model": "message networking",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "5.2.4"
},
{
"_id": null,
"model": "virtualization performance viewer",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "2.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.14"
},
{
"_id": null,
"model": "cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "splunk",
"version": "0"
},
{
"_id": null,
"model": "aura system platform",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.0.1"
},
{
"_id": null,
"model": "virtual security gateway for microsoft hyper-v",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "systems director storage control",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.3.0"
},
{
"_id": null,
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "fortiwan",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.12"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"_id": null,
"model": "communication server 1000e signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.5"
},
{
"_id": null,
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.0.9.8"
},
{
"_id": null,
"model": "scale out network attached storage",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.5.1"
},
{
"_id": null,
"model": "workload deployer",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.12"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.3"
},
{
"_id": null,
"model": "prime service catalog virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "aura application server sip core pb16",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.0"
},
{
"_id": null,
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.1"
},
{
"_id": null,
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.5"
},
{
"_id": null,
"model": "unified contact center express",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "mds fiber channel switch",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.2"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3"
},
{
"_id": null,
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.37"
},
{
"_id": null,
"model": "video border proxy",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "11.2.22"
},
{
"_id": null,
"model": "fujitsu m10-1 server xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "2230"
},
{
"_id": null,
"model": "content sharing suite client/server",
"scope": "ne",
"trust": 0.3,
"vendor": "polycom",
"version": "1.5"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0.00"
},
{
"_id": null,
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "point software security gateway r75.47",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "big-ip link controller hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"_id": null,
"model": "workcentre",
"scope": "eq",
"trust": 0.3,
"vendor": "xerox",
"version": "79700"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.3"
},
{
"_id": null,
"model": "big-ip gtm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "telepresence system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "1100"
},
{
"_id": null,
"model": "ip office application server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "9.0"
},
{
"_id": null,
"model": "fortirecorder",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "1.4.2"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2.1"
},
{
"_id": null,
"model": "aura conferencing sp6",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.2"
},
{
"_id": null,
"model": "sparc enterprise m8000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1118"
},
{
"_id": null,
"model": "security access manager for mobile",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.21"
},
{
"_id": null,
"model": "evergreen",
"scope": "eq",
"trust": 0.3,
"vendor": "opensuse",
"version": "11.4"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.3.5"
},
{
"_id": null,
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.5"
},
{
"_id": null,
"model": "intercloud fabric",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "qradar incident forensics patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.41"
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.1.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.11.1"
},
{
"_id": null,
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"_id": null,
"model": "telepresence mx series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "systems director",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.3.0.0"
},
{
"_id": null,
"model": "fortiddos",
"scope": "eq",
"trust": 0.3,
"vendor": "fortinet",
"version": "0"
},
{
"_id": null,
"model": "session border controller for enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.0"
},
{
"_id": null,
"model": "communication server 1000m",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.5"
},
{
"_id": null,
"model": "communication server 1000e signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.0"
},
{
"_id": null,
"model": "aura communication manager utility services",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.9"
},
{
"_id": null,
"model": "point software security gateway r71.00",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.1"
},
{
"_id": null,
"model": "proactive contact",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "4.0.1"
},
{
"_id": null,
"model": "aura messaging sp4",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.2"
},
{
"_id": null,
"model": "telepresence profile series",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip pem hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"_id": null,
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.7"
},
{
"_id": null,
"model": "big-ip edge gateway hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"_id": null,
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"_id": null,
"model": "distributed media application",
"scope": "eq",
"trust": 0.3,
"vendor": "polycom",
"version": "0"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"_id": null,
"model": "aura session manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.1.7"
},
{
"_id": null,
"model": "communication server 1000m signaling server",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.5"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.1.4"
},
{
"_id": null,
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.6"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.5.1"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.7"
},
{
"_id": null,
"model": "slim",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "big-ip edge gateway hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"_id": null,
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.6.0"
},
{
"_id": null,
"model": "aura system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "6.3.4"
},
{
"_id": null,
"model": "aura application server sip core",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "53002.1"
},
{
"_id": null,
"model": "point software gaia os r75.30",
"scope": null,
"trust": 0.3,
"vendor": "check",
"version": null
},
{
"_id": null,
"model": "communication server 1000e",
"scope": "eq",
"trust": 0.3,
"vendor": "avaya",
"version": "7.5"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.1"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "2.8"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "4.0.5"
},
{
"_id": null,
"model": "simatic hmi panels",
"scope": "eq",
"trust": 0.3,
"vendor": "siemens",
"version": "0"
},
{
"_id": null,
"model": "sparc enterprise m3000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1118"
},
{
"_id": null,
"model": "thinpro linux",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "(x86)5.1"
},
{
"_id": null,
"model": "cloud object store",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"_id": null,
"model": "sparc enterprise m5000 xcp",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "1117"
},
{
"_id": null,
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"_id": null,
"model": "qradar siem mr2 patch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.19"
},
{
"_id": null,
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0"
},
{
"_id": null,
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.9"
},
{
"_id": null,
"model": "linux enterprise server sp2 ltss",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "110"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "BID",
"id": "72325"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "NVD",
"id": "CVE-2015-0235"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:canonical:ubuntu_linux",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:debian:debian_linux",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fedoraproject:fedora",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:gnu:eglibc",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:suse:linux_enterprise_server",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
}
]
},
"credits": {
"_id": null,
"data": "Qualys",
"sources": [
{
"db": "BID",
"id": "72325"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
}
],
"trust": 0.9
},
"cve": "CVE-2015-0235",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2015-0235",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"availabilityRequirement": "NOT DEFINED",
"baseScore": 10.0,
"collateralDamagePotential": "NOT DEFINED",
"confidentialityImpact": "COMPLETE",
"confidentialityRequirement": "NOT DEFINED",
"enviromentalScore": 5.9,
"exploitability": "PROOF-OF-CONCEPT",
"exploitabilityScore": 10.0,
"id": "CVE-2015-0235",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"integrityRequirement": "NOT DEFINED",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"remediationLevel": "OFFICIAL FIX",
"reportConfidence": "CONFIRMED",
"severity": "HIGH",
"targetDistribution": "MEDIUM",
"trust": 0.8,
"userInteractionRequired": null,
"vector_string": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2015-0235",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-78181",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2015-0235",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-0235",
"trust": 1.6,
"value": "HIGH"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2015-0235",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201501-658",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-78181",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "VULHUB",
"id": "VHN-78181"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "NVD",
"id": "CVE-2015-0235"
}
]
},
"description": {
"_id": null,
"data": "Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka \"GHOST.\". This vulnerability has been assigned CVE-2015-0235, and is referred to in the media by the name \"GHOST\". eglibc The package contains a classic buffer overflow vulnerability.Denial of service (DoS) May be in a state. GNU glibc is prone to a heap-based buffer-overflow vulnerability. \nAn attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts may crash the application, denying service to legitimate users. \nCVE-ID\nCVE-2015-7023 : Marvin Scholz; Xiaofeng Zheng and Jinjin Liang of\nTsinghua University, Jian Jiang of University of California,\nBerkeley, Haixin Duan of Tsinghua University and International\nComputer Science Institute, Shuo Chen of Microsoft Research Redmond,\nTao Wan of Huawei Canada, Nicholas Weaver of International Computer\nScience Institute and University of California, Berkeley, coordinated\nvia CERT/CC\n\nconfigd\nAvailable for: OS X El Capitan 10.11\nImpact: A malicious application may be able to elevate privileges\nDescription: A heap based buffer overflow issue existed in the DNS\nclient library. A malicious application with the ability to spoof\nresponses from the local configd service may have been able to cause\narbitrary code execution in DNS clients. \nCVE-ID\nCVE-2015-6994 : Mark Mentovai of Google Inc. A developer-signed app could bypass restrictions on\nuse of restricted entitlements and elevate privileges. These\nissues were addressed by using patches affecting OS X from upstream. This was addressed by disabling synthetic\nclicks for keychain access windows. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2015-09-30-3 OS X El Capitan 10.11\n\nOS X El Capitan 10.11 is now available and addresses the following:\n\nAddress Book\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to inject arbitrary code to\nprocesses loading the Address Book framework\nDescription: An issue existed in Address Book framework\u0027s handling\nof an environment variable. This issue was addressed through improved\nenvironment variable handling. \nCVE-ID\nCVE-2015-5897 : Dan Bastone of Gotham Digital Science\n\nAirScan\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker with a privileged network position may be able\nto extract payload from eSCL packets sent over a secure connection\nDescription: An issue existed in the processing of eSCL packets. \nThis issue was addressed through improved validation checks. \nCVE-ID\nCVE-2015-5853 : an anonymous researcher\n\napache_mod_php\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in PHP\nDescription: Multiple vulnerabilities existed in PHP versions prior\nto 5.5.27, including one which may have led to remote code execution. \nThis issue was addressed by updating PHP to version 5.5.27. \nCVE-ID\nCVE-2014-9425\nCVE-2014-9427\nCVE-2014-9652\nCVE-2014-9705\nCVE-2014-9709\nCVE-2015-0231\nCVE-2015-0232\nCVE-2015-0235\nCVE-2015-0273\nCVE-2015-1351\nCVE-2015-1352\nCVE-2015-2301\nCVE-2015-2305\nCVE-2015-2331\nCVE-2015-2348\nCVE-2015-2783\nCVE-2015-2787\nCVE-2015-3329\nCVE-2015-3330\n\nApple Online Store Kit\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may gain access to a user\u0027s keychain\nitems\nDescription: An issue existed in validation of access control lists\nfor iCloud keychain items. This issue was addressed through improved\naccess control list checks. \nCVE-ID\nCVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of\nIndiana University, Tongxin Li of Peking University, Tongxin Li of\nPeking University, Xiaolong Bai of Tsinghua University\n\nAppleEvents\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A user connected through screen sharing can send Apple\nEvents to a local user\u0027s session\nDescription: An issue existed with Apple Event filtering that\nallowed some users to send events to other users. This was addressed\nby improved Apple Event handling. \nCVE-ID\nCVE-2015-5849 : Jack Lawrence (@_jackhl)\n\nAudio\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Playing a malicious audio file may lead to an unexpected\napplication termination\nDescription: A memory corruption issue existed in the handling of\naudio files. This issue issue was addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:\nProf. Taekyoung Kwon), Yonsei University, Seoul, Korea\n\nbash\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in bash\nDescription: Multiple vulnerabilities existed in bash versions prior\nto 3.2 patch level 57. These issues were addressed by updating bash\nversion 3.2 to patch level 57. \nCVE-ID\nCVE-2014-6277\nCVE-2014-7186\nCVE-2014-7187\n\nCertificate Trust Policy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Update to the certificate trust policy\nDescription: The certificate trust policy was updated. The complete\nlist of certificates may be viewed at https://support.apple.com/en-\nus/HT202858. \n\nCFNetwork Cookies\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a privileged network position can track a\nuser\u0027s activity\nDescription: A cross-domain cookie issue existed in the handling of\ntop level domains. The issue was address through improved\nrestrictions of cookie creation. \nCVE-ID\nCVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork FTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Malicious FTP servers may be able to cause the client to\nperform reconnaissance on other hosts\nDescription: An issue existed in the handling of FTP packets when\nusing the PASV command. This issue was resolved through improved\nvalidation. \nCVE-ID\nCVE-2015-5912 : Amit Klein\n\nCFNetwork HTTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A maliciously crafted URL may be able to bypass HSTS and\nleak sensitive data\nDescription: A URL parsing vulnerability existed in HSTS handling. \nThis issue was addressed through improved URL parsing. \nCVE-ID\nCVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork HTTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious website may be able to track users in Safari\nprivate browsing mode\nDescription: An issue existed in the handling of HSTS state in\nSafari private browsing mode. This issue was addressed through\nimproved state handling. \nCVE-ID\nCVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd\n\nCFNetwork Proxies\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Connecting to a malicious web proxy may set malicious\ncookies for a website\nDescription: An issue existed in the handling of proxy connect\nresponses. This issue was addressed by removing the set-cookie header\nwhile parsing the connect response. \nCVE-ID\nCVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork SSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker with a privileged network position may intercept\nSSL/TLS connections\nDescription: A certificate validation issue existed in NSURL when a\ncertificate changed. This issue was addressed through improved\ncertificate validation. \nCVE-ID\nCVE-2015-5824 : Timothy J. Wood of The Omni Group\n\nCFNetwork SSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to decrypt data protected by SSL\nDescription: There are known attacks on the confidentiality of RC4. \nAn attacker could force the use of RC4, even if the server preferred\nbetter ciphers, by blocking TLS 1.0 and higher connections until\nCFNetwork tried SSL 3.0, which only allows RC4. This issue was\naddressed by removing the fallback to SSL 3.0. \n\nCoreCrypto\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to determine a private key\nDescription: By observing many signing or decryption attempts, an\nattacker may have been able to determine the RSA private key. This\nissue was addressed using improved encryption algorithms. \n\nCoreText\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: A memory corruption issue existed in the processing of\nfont files. This issue was addressed through improved input\nvalidation. \nCVE-ID\nCVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team\n\nDev Tools\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to execute arbitrary\ncode with system privileges\nDescription: A memory corruption issue existed in dyld. This was\naddressed through improved memory handling. \nCVE-ID\nCVE-2015-5876 : beist of grayhash\n\nDev Tools\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An application may be able to bypass code signing\nDescription: An issue existed with validation of the code signature\nof executables. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2015-5839 : @PanguTeam\n\nDisk Images\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue existed in DiskImages. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5847 : Filippo Bigarella, Luca Todesco\n\ndyld\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An application may be able to bypass code signing\nDescription: An issue existed with validation of the code signature\nof executables. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2015-5839 : TaiG Jailbreak Team\n\nEFI\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application can prevent some systems from\nbooting\nDescription: An issue existed with the addresses covered by the\nprotected range register. This issue was fixed by changing the\nprotected range. \nCVE-ID\nCVE-2015-5900 : Xeno Kovah \u0026 Corey Kallenberg from LegbaCore\n\nEFI\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious Apple Ethernet Thunderbolt adapter may be able\nto affect firmware flashing\nDescription: Apple Ethernet Thunderbolt adapters could modify the\nhost firmware if connected during an EFI update. This issue was\naddressed by not loading option ROMs during updates. \nCVE-ID\nCVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare\n\nFinder\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The \"Secure Empty Trash\" feature may not securely delete\nfiles placed in the Trash\nDescription: An issue existed in guaranteeing secure deletion of\nTrash files on some systems, such as those with flash storage. This\nissue was addressed by removing the \"Secure Empty Trash\" option. \nCVE-ID\nCVE-2015-5901 : Apple\n\nGame Center\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious Game Center application may be able to access a\nplayer\u0027s email address\nDescription: An issue existed in Game Center in the handling of a\nplayer\u0027s email. This issue was addressed through improved access\nrestrictions. \nCVE-ID\nCVE-2015-5855 : Nasser Alnasser\n\nHeimdal\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to replay Kerberos credentials to\nthe SMB server\nDescription: An authentication issue existed in Kerberos\ncredentials. This issue was addressed through additional validation\nof credentials using a list of recently seen credentials. \nCVE-ID\nCVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu\nFan of Microsoft Corporation, China\n\nICU\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in ICU\nDescription: Multiple vulnerabilities existed in ICU versions prior\nto 53.1.0. These issues were addressed by updating ICU to version\n55.1. \nCVE-ID\nCVE-2014-8146\nCVE-2014-8147\nCVE-2015-5922\n\nInstall Framework Legacy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to gain root privileges\nDescription: A restriction issue existed in the Install private\nframework containing a privileged executable. This issue was\naddressed by removing the executable. \nCVE-ID\nCVE-2015-5888 : Apple\n\nIntel Graphics Driver\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nsystem privileges\nDescription: Multiple memory corruption issues existed in the Intel\nGraphics Driver. These issues were addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5830 : Yuki MIZUNO (@mzyy94)\nCVE-2015-5877 : Camillus Gerard Cai\n\nIOAudioFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in IOAudioFamily that led to the\ndisclosure of kernel memory content. This issue was addressed by\npermuting kernel pointers. \nCVE-ID\nCVE-2015-5864 : Luca Todesco\n\nIOGraphics\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues existed in the\nkernel. These issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5871 : Ilja van Sprundel of IOActive\nCVE-2015-5872 : Ilja van Sprundel of IOActive\nCVE-2015-5873 : Ilja van Sprundel of IOActive\nCVE-2015-5890 : Ilja van Sprundel of IOActive\n\nIOGraphics\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An issue existed in IOGraphics which could have led to\nthe disclosure of kernel memory layout. This issue was addressed\nthrough improved memory management. \nCVE-ID\nCVE-2015-5865 : Luca Todesco\n\nIOHIDFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to execute arbitrary\ncode with system privileges\nDescription: Multiple memory corruption issues existed in\nIOHIDFamily. These issues were addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5866 : Apple\nCVE-2015-5867 : moony li of Trend Micro\n\nIOStorageFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to read kernel memory\nDescription: A memory initialization issue existed in the kernel. \nThis issue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5863 : Ilja van Sprundel of IOActive\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues existed in the\nKernel. These issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team\nCVE-2015-5896 : Maxime Villard of m00nbsd\nCVE-2015-5903 : CESG\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local process can modify other processes without\nentitlement checks\nDescription: An issue existed where root processes using the\nprocessor_set_tasks API were allowed to retrieve the task ports of\nother processes. This issue was addressed through additional\nentitlement checks. \nCVE-ID\nCVE-2015-5882 : Pedro Vilaca, working from original research by\nMing-chieh Pan and Sung-ting Tsai; Jonathan Levin\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may control the value of stack cookies\nDescription: Multiple weaknesses existed in the generation of user\nspace stack cookies. These issues were addressed through improved\ngeneration of stack cookies. \nCVE-ID\nCVE-2013-3951 : Stefan Esser\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to launch denial of service attacks\non targeted TCP connections without knowing the correct sequence\nnumber\nDescription: An issue existed in xnu\u0027s validation of TCP packet\nheaders. This issue was addressed through improved TCP packet header\nvalidation. \nCVE-ID\nCVE-2015-5879 : Jonathan Looney\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a local LAN segment may disable IPv6 routing\nDescription: An insufficient validation issue existed in the\nhandling of IPv6 router advertisements that allowed an attacker to\nset the hop limit to an arbitrary value. This issue was addressed by\nenforcing a minimum hop limit. \nCVE-ID\nCVE-2015-5869 : Dennis Spindel Ljungmark\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed that led to the disclosure of kernel\nmemory layout. This was addressed through improved initialization of\nkernel memory structures. \nCVE-ID\nCVE-2015-5842 : beist of grayhash\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in debugging interfaces that led to\nthe disclosure of memory content. This issue was addressed by\nsanitizing output from debugging interfaces. \nCVE-ID\nCVE-2015-5870 : Apple\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to cause a system denial of service\nDescription: A state management issue existed in debugging\nfunctionality. This issue was addressed through improved validation. \nCVE-ID\nCVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team\n\nlibc\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse\nCorporation\n\nlibpthread\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team\n\nlibxpc\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Many SSH connections could cause a denial of service\nDescription: launchd had no limit on the number of processes that\ncould be started by a network connection. This issue was addressed by\nlimiting the number of SSH processes to 40. \nCVE-ID\nCVE-2015-5881 : Apple\n\nLogin Window\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The screen lock may not engage after the specified time\nperiod\nDescription: An issue existed with captured display locking. The\nissue was addressed through improved lock handling. \nCVE-ID\nCVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau\ninformationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni\nVaahtera, and an anonymous researcher\n\nlukemftpd\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A remote attacker may be able to deny service to the FTP\nserver\nDescription: A glob-processing issue existed in tnftpd. This issue\nwas addressed through improved glob validation. \nCVE-ID\nCVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com\n\nMail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Printing an email may leak sensitive user information\nDescription: An issue existed in Mail which bypassed user\npreferences when printing an email. This issue was addressed through\nimproved user preference enforcement. \nCVE-ID\nCVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya,\nDennis Klein from Eschenburg, Germany, Jeff Hammett of Systim\nTechnology Partners\n\nMail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a privileged network position may be able to\nintercept attachments of S/MIME-encrypted e-mail sent via Mail Drop\nDescription: An issue existed in handling encryption parameters for\nlarge email attachments sent via Mail Drop. The issue is addressed by\nno longer offering Mail Drop when sending an encrypted e-mail. \nCVE-ID\nCVE-2015-5884 : John McCombs of Integrated Mapping Ltd\n\nMultipeer Connectivity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to observe unprotected\nmultipeer data\nDescription: An issue existed in convenience initializer handling in\nwhich encryption could be actively downgraded to a non-encrypted\nsession. This issue was addressed by changing the convenience\ninitializer to require encryption. \nCVE-ID\nCVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem\n\nNetworkExtension\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An uninitialized memory issue in the kernel led to the\ndisclosure of kernel memory content. This issue was addressed through\nimproved memory initialization. \nCVE-ID\nCVE-2015-5831 : Maxime Villard of m00nbsd\n\nNotes\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to leak sensitive user information\nDescription: An issue existed in parsing links in the Notes\napplication. This issue was addressed through improved input\nvalidation. \nCVE-ID\nCVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher\n\nNotes\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to leak sensitive user information\nDescription: A cross-site scripting issue existed in parsing text by\nthe Notes application. This issue was addressed through improved\ninput validation. \nCVE-ID\nCVE-2015-5875 : xisigr of Tencent\u0027s Xuanwu LAB (www.tencent.com)\n\nOpenSSH\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in OpenSSH\nDescription: Multiple vulnerabilities existed in OpenSSH versions\nprior to 6.9. These issues were addressed by updating OpenSSH to\nversion 6.9. \nCVE-ID\nCVE-2014-2532\n\nOpenSSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in OpenSSL\nDescription: Multiple vulnerabilities existed in OpenSSL versions\nprior to 0.9.8zg. These were addressed by updating OpenSSL to version\n0.9.8zg. \nCVE-ID\nCVE-2015-0286\nCVE-2015-0287\n\nprocmail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in procmail\nDescription: Multiple vulnerabilities existed in procmail versions\nprior to 3.22. These issues were addressed by removing procmail. \nCVE-ID\nCVE-2014-3618\n\nremote_cmds\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with root\nprivileges\nDescription: An issue existed in the usage of environment variables\nby the rsh binary. This issue was addressed by dropping setuid\nprivileges from the rsh binary. \nCVE-ID\nCVE-2015-5889 : Philip Pettersson\n\nremovefile\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Processing malicious data may lead to unexpected application\ntermination\nDescription: An overflow fault existed in the checkint division\nroutines. This issue was addressed with improved division routines. \nCVE-ID\nCVE-2015-5840 : an anonymous researcher\n\nRuby\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in Ruby\nDescription: Multiple vulnerabilities existed in Ruby versions prior\nto 2.0.0p645. These were addressed by updating Ruby to version\n2.0.0p645. \nCVE-ID\nCVE-2014-8080\nCVE-2014-8090\nCVE-2015-1855\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The lock state of the keychain may be incorrectly displayed\nto the user\nDescription: A state management issue existed in the way keychain\nlock status was tracked. This issue was addressed through improved\nstate management. \nCVE-ID\nCVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron,\nEric E. Lawrence, Apple\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A trust evaluation configured to require revocation checking\nmay succeed even if revocation checking fails\nDescription: The kSecRevocationRequirePositiveResponse flag was\nspecified but not implemented. This issue was addressed by\nimplementing the flag. \nCVE-ID\nCVE-2015-5894 : Hannes Oud of kWallet GmbH\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A remote server may prompt for a certificate before\nidentifying itself\nDescription: Secure Transport accepted the CertificateRequest\nmessage before the ServerKeyExchange message. This issue was\naddressed by requiring the ServerKeyExchange first. \nCVE-ID\nCVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine\nDelignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of\nINRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of\nMicrosoft Research, Pierre-Yves Strub of IMDEA Software Institute\n\nSMB\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5891 : Ilja van Sprundel of IOActive\n\nSMB\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in SMBClient that led to the\ndisclosure of kernel memory content. This issue was addressed through\nimproved bounds checking. \nCVE-ID\nCVE-2015-5893 : Ilja van Sprundel of IOActive\n\nSQLite\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in SQLite v3.8.5\nDescription: Multiple vulnerabilities existed in SQLite v3.8.5. \nThese issues were addressed by updating SQLite to version 3.8.10.2. \nCVE-ID\nCVE-2015-3414\nCVE-2015-3415\nCVE-2015-3416\n\nTelephony\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker can place phone calls without the user\u0027s\nknowledge when using Continuity\nDescription: An issue existed in the authorization checks for\nplacing phone calls. This issue was addressed through improved\nauthorization checks. \nCVE-ID\nCVE-2015-3785 : Dan Bastone of Gotham Digital Science\n\nTerminal\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Maliciously crafted text could mislead the user in Terminal\nDescription: Terminal did not handle bidirectional override\ncharacters in the same way when displaying text and when selecting\ntext. This issue was addressed by suppressing bidirectional override\ncharacters in Terminal. \nCVE-ID\nCVE-2015-5883 : an anonymous researcher\n\ntidy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Visiting a maliciously crafted website may lead to arbitrary\ncode execution\nDescription: Multiple memory corruption issues existed in tidy. \nThese issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5522 : Fernando Munoz of NULLGroup.com\nCVE-2015-5523 : Fernando Munoz of NULLGroup.com\n\nTime Machine\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may gain access to keychain items\nDescription: An issue existed in backups by the Time Machine\nframework. This issue was addressed through improved coverage of Time\nMachine backups. \nCVE-ID\nCVE-2015-5854 : Jonas Magazinius of Assured AB\n\nNote: OS X El Capitan 10.11 includes the security content of\nSafari 9: https://support.apple.com/kb/HT205265. \n\nOS X El Capitan 10.11 may be obtained from the Mac App Store:\nhttp://www.apple.com/support/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - http://gpgtools.org\n\niQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw\nS5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO\n/hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6\nQhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54\nYJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop\nhpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O\nc3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR\n8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r\nN1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT\nfJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1\nnJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e\ng6jld/w5tPuCFhGucE7Z\n=XciV\n-----END PGP SIGNATURE-----\n. Independently operating for three\ngenerations, WAGO is the global leader of spring pressure electrical\ninterconnect and automation solutions. For more than 60 years, WAGO has\ndeveloped and produced innovative products for packaging, transportation,\nprocess, industrial and building automation markets amongst others. Aside from\nits innovations in spring pressure connection technology, WAGO has introduced\nnumerous innovations that have revolutionized industry. \nFurthermore, hardcoded password hashes and credentials were also found by doing\nan automated scan with IoT Inspector. The validity of the password hashes and the embedded keys were\nalso verified by emulating the device. The outdated version was found by IoT Inspector. The outdated version was found by IoT Inspector. \n\n3) Hardcoded Credentials (CVE-2019-12550)\nThe device contains hardcoded users and passwords which can be used to login\nvia SSH and Telnet. \n\n4) Embedded Private Keys (CVE-2019-12549)\nThe device contains hardcoded private keys for the SSH daemon. The fingerprint\nof the SSH host key from the corresponding SSH daemon matches to the embedded\nprivate key. A file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created\nto trigger the vulnerability. \n\n\n3) Hardcoded Credentials (CVE-2019-12550)\nThe following credentials were found in the \u0027passwd\u0027 file of the firmware:\n\u003cPassword Hash\u003e \u003cPlaintext\u003e \u003cUser\u003e\n\u003cremoved\u003e \u003cremoved\u003e root\nNo password is set for the account [EMPTY PASSWORD] admin\n\nBy using these credentials, it\u0027s possible to connect via Telnet and SSH on the\nemulated device. Example for Telnet:\n-------------------------------------------------------------------------------\n[root@localhost ~]# telnet 192.168.0.133\nTrying 192.168.0.133... \nConnected to 192.168.0.133. \nEscape character is \u0027^]\u0027. \n\nL2SWITCH login: root\nPassword:\n~ #\n-------------------------------------------------------------------------------\nExample for SSH:\n-------------------------------------------------------------------------------\n[root@localhost ~]# ssh 192.168.0.133\nroot@192.168.0.133\u0027s password:\n~ #\n-------------------------------------------------------------------------------\n\n\n4) Embedded Private Keys (CVE-2019-12549)\nThe following host key fingerprint is shown by accessing the SSH daemon on\nthe emulated device:\n\n[root@localhost ~]# ssh 192.168.0.133\nThe authenticity of host \u0027192.168.0.133 (192.168.0.133)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. \nRSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2. \n\nThis matches the embedded private key (which has been removed from this advisory):\nSSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2\n\n\nVulnerable / tested versions:\n-----------------------------\nAccording to the vendor, the following versions are affected:\n* 852-303: \u003cv1.2.2.S0\n* 852-1305: \u003cv1.1.6.S0\n* 852-1505: \u003cv1.1.5.S0\n\n\nVendor contact timeline:\n------------------------\n2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation\n2019-03-26: Asking for a status update, VDE CERT is still waiting for details\n2019-03-28: VDE CERT requests information from WAGO again\n2019-04-09: Asking for a status update\n2019-04-11: VDE CERT: patched firmware release planned for end of May, requested\n postponement of advisory release\n2019-04-16: VDE CERT: update regarding affected firmware versions\n2019-04-24: Confirming advisory release for beginning of June\n2019-05-20: Asking for a status update\n2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date\n2019-05-29: Asking for a status update\n2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published\n on 7th June, SEC Consult proposes new advisory release date for\n 12th June\n2019-06-07: VDE CERT provides security advisory information from WAGO;\n WAGO releases security patches\n2019-06-12: Coordinated release of security advisory\n\n\nSolution:\n---------\nThe vendor provides patches to their customers at their download page. The\nfollowing versions fix the issues:\n* 852-303: v1.2.2.S0\n* 852-1305: v1.1.6.S0\n* 852-1505: v1.1.5.S0\n\nAccording to the vendor, busybox and glibc have been updated and the embedded\nprivate keys are being newly generated upon first boot and after a factory reset. \nThe root login via Telnet and SSH has been disabled and the admin account is\ndocumented and can be changed by the customer. \n\n\n\nWorkaround:\n-----------\nRestrict network access to the device \u0026 SSH server. Weber / @2019\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\ndocDisplay?docId=emr_na-c04602055\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c04602055\nVersion: 1\n\nHPSBHF03289 rev.1- HP ThinClient PCs running ThinPro Linux, Remote Code\nExecution, Denial of Service, Disclosure of information\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2015-03-20\nLast Updated: 2015-03-20\n\nPotential Security Impact: Remote code execution, denial of service,\ndisclosure of information\n\nSource: Hewlett-Packard Company, HP Software Security Response Team\n\nVULNERABILITY SUMMARY\nA potential security vulnerability has been identified with HP ThinPro Linux\nThis is the glibc vulnerability known as \"GHOST\", which could be exploited\nremotely to allow execution of arbitrary code. This update also addresses\nother vulnerabilities in SSL that would remotely allow denial of service,\ndisclosure of information and other vulnerabilities. \n\nReferences:\n\nCVE-2015-0235 (SSRT101953)\nCVE-2014-3569\nCVE-2014-3570\nCVE-2014-3571\nCVE-2014-3572\nCVE-2014-8275\nCVE-2015-0204\nCVE-2015-0205\nCVE-2015-0206\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\nHP ThinPro Linux (x86) v5.1\nHP ThinPro Linux (x86) v5.0\nHP ThinPro Linux (x86) v4.4\nHP ThinPro Linux (x86) v4.3\nHP ThinPro Linux (x86) v4.2\nHP ThinPro Linux (x86) v4.1\nHP ThinPro Linux (ARM) v4.4\nHP ThinPro Linux (ARM) v4.3\nHP ThinPro Linux (ARM) v4.2\nHP ThinPro Linux (ARM) v4.1\n\nBACKGROUND\n\nCVSS 2.0 Base Metrics\n===========================================================\n Reference Base Vector Base Score\nCVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\nCVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\nCVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\nCVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\nCVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\nCVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\nCVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0\nCVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\nCVE-2015-0235 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\n===========================================================\n Information on CVSS is documented\n in HP Customer Notice: HPSN-2008-002\n\nRESOLUTION\n\nHP has released the following software updates to resolve the vulnerability\nfor HP ThinPro Linux. \n\nSoftpaq:\nhttp://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe\n\nEasy Update Via ThinPro / EasyUpdate (x86):\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-\n4.1-4.3-x86.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-\n4.1-4.3-x86.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-\n4.1-4.3-x86.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-\n4.4-x86.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-\n5.0-5.1-x86.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-\n5.0-5.1-x86.xar\n\nVia ThinPro / EasyUpdate (ARM):\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-\n4.1-4.3-armel.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-\n4.1-4.3-armel.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-\n4.1-4.3-armel.xar\n\nhttp://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-\n4.4-armel.xar\n\nNote: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch\napplied, VMware cannot connect if security level is set to \"Refuse insecure\nconnections\". Updating VMware to the latest package on ftp.hp.com will solve\nthe problem. \n\nHISTORY\nVersion:1 (rev.1) - 20 March 2015 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running HP software products should be applied in\naccordance with the customer\u0027s patch management policy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HP Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com. \n\nReport: To report a potential security vulnerability with any HP supported\nproduct, send Email to: security-alert@hp.com\n\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\nalerts via Email:\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HP General Software\nHF = HP Hardware and Firmware\nMP = MPE/iX\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPI = Printing and Imaging\nPV = ProCurve\nST = Storage Software\nTU = Tru64 UNIX\nUX = HP-UX\n\nCopyright 2015 Hewlett-Packard Development Company, L.P. \nHewlett-Packard Company shall not be liable for technical or editorial errors\nor omissions contained herein. The information provided is provided \"as is\"\nwithout warranty of any kind. To the extent permitted by law, neither HP or\nits affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. \nHewlett-Packard Company and the names of Hewlett-Packard products referenced\nherein are trademarks of Hewlett-Packard Company in the United States and\nother countries. Other product and company names mentioned herein may be\ntrademarks of their respective owners. \n\n The original glibc bug was reported by Peter Klotz. \n\nCVE-2014-7817\n\n Tim Waugh of Red Hat discovered that the WRDE_NOCMD option of the\n wordexp function did not suppress command execution in all cases. \n This allows a context-dependent attacker to execute shell\n commands. \n\nCVE-2012-6656\nCVE-2014-6040\n\n The charset conversion code for certain IBM multi-byte code pages\n could perform an out-of-bounds array access, causing the process\n to crash. In some scenarios, this allows a remote attacker to\n cause a persistent denial of service. \n\nFor the upcoming stable distribution (jessie) and the unstable\ndistribution (sid), the CVE-2015-0235 issue has been fixed in version\n2.18-1 of the glibc package. \n\nWe recommend that you upgrade your eglibc packages. \n _______________________________________________________________________\n\n References:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235\n https://rhn.redhat.com/errata/RHSA-2015-0092.html\n _______________________________________________________________________\n\n Updated Packages:\n\n Mandriva Business Server 1/X86_64:\n 678efef85b85206451ef8927bad808e0 mbs1/x86_64/glibc-2.14.1-12.11.mbs1.x86_64.rpm\n 46cd508f03e36c1e4f752c317852ec8e mbs1/x86_64/glibc-devel-2.14.1-12.11.mbs1.x86_64.rpm\n 069302c80e3b79504e2b0eaaa72c2745 mbs1/x86_64/glibc-doc-2.14.1-12.11.mbs1.noarch.rpm\n 3a841c0295823354655dd3e7734ada0b mbs1/x86_64/glibc-doc-pdf-2.14.1-12.11.mbs1.noarch.rpm\n 11a672a0b4bae77c7adfa803bea9871f mbs1/x86_64/glibc-i18ndata-2.14.1-12.11.mbs1.x86_64.rpm\n d3f113ccec4f18e4bb08c951625e51d7 mbs1/x86_64/glibc-profile-2.14.1-12.11.mbs1.x86_64.rpm\n f6d6aa5806dd747e66996ea8cc01c9b4 mbs1/x86_64/glibc-static-devel-2.14.1-12.11.mbs1.x86_64.rpm\n 98cc6eae0234eeed945712bbc8b2c0ea mbs1/x86_64/glibc-utils-2.14.1-12.11.mbs1.x86_64.rpm\n bf6f2fcc3dd21bd8380aac40e91bb802 mbs1/x86_64/nscd-2.14.1-12.11.mbs1.x86_64.rpm \n f597e4d6241c76701733d730e84f5714 mbs1/SRPMS/glibc-2.14.1-12.11.mbs1.src.rpm\n _______________________________________________________________________\n\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\n of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Critical: glibc security update\nAdvisory ID: RHSA-2015:0092-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2015-0092.html\nIssue date: 2015-01-27\nCVE Names: CVE-2015-0235 \n=====================================================================\n\n1. Summary:\n\nUpdated glibc packages that fix one security issue are now available for\nRed Hat Enterprise Linux 6 and 7. \n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Desktop (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux HPC Node (v. 6) - x86_64\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system. \nWithout these libraries, the Linux system cannot function correctly. (CVE-2015-0235)\n\nRed Hat would like to thank Qualys for reporting this issue. \n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Desktop (v. 6):\n\nSource:\nglibc-2.12-1.149.el6_6.5.src.rpm\n\ni386:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-headers-2.12-1.149.el6_6.5.i686.rpm\nglibc-utils-2.12-1.149.el6_6.5.i686.rpm\nnscd-2.12-1.149.el6_6.5.i686.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.5.x86_64.rpm\nnscd-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\ni386:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node (v. 6):\n\nSource:\nglibc-2.12-1.149.el6_6.5.src.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.5.x86_64.rpm\nnscd-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nglibc-2.12-1.149.el6_6.5.src.rpm\n\ni386:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-headers-2.12-1.149.el6_6.5.i686.rpm\nglibc-utils-2.12-1.149.el6_6.5.i686.rpm\nnscd-2.12-1.149.el6_6.5.i686.rpm\n\nppc64:\nglibc-2.12-1.149.el6_6.5.ppc.rpm\nglibc-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-common-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.ppc.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.ppc.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-devel-2.12-1.149.el6_6.5.ppc.rpm\nglibc-devel-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-headers-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-utils-2.12-1.149.el6_6.5.ppc64.rpm\nnscd-2.12-1.149.el6_6.5.ppc64.rpm\n\ns390x:\nglibc-2.12-1.149.el6_6.5.s390.rpm\nglibc-2.12-1.149.el6_6.5.s390x.rpm\nglibc-common-2.12-1.149.el6_6.5.s390x.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.s390.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.s390x.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.s390.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.s390x.rpm\nglibc-devel-2.12-1.149.el6_6.5.s390.rpm\nglibc-devel-2.12-1.149.el6_6.5.s390x.rpm\nglibc-headers-2.12-1.149.el6_6.5.s390x.rpm\nglibc-utils-2.12-1.149.el6_6.5.s390x.rpm\nnscd-2.12-1.149.el6_6.5.s390x.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.5.x86_64.rpm\nnscd-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\ni386:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\n\nppc64:\nglibc-debuginfo-2.12-1.149.el6_6.5.ppc.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.ppc.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.ppc64.rpm\nglibc-static-2.12-1.149.el6_6.5.ppc.rpm\nglibc-static-2.12-1.149.el6_6.5.ppc64.rpm\n\ns390x:\nglibc-debuginfo-2.12-1.149.el6_6.5.s390.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.s390x.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.s390.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.s390x.rpm\nglibc-static-2.12-1.149.el6_6.5.s390.rpm\nglibc-static-2.12-1.149.el6_6.5.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nglibc-2.12-1.149.el6_6.5.src.rpm\n\ni386:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-headers-2.12-1.149.el6_6.5.i686.rpm\nglibc-utils-2.12-1.149.el6_6.5.i686.rpm\nnscd-2.12-1.149.el6_6.5.i686.rpm\n\nx86_64:\nglibc-2.12-1.149.el6_6.5.i686.rpm\nglibc-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-devel-2.12-1.149.el6_6.5.i686.rpm\nglibc-devel-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-headers-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-utils-2.12-1.149.el6_6.5.x86_64.rpm\nnscd-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\ni386:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\n\nx86_64:\nglibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm\nglibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm\nglibc-static-2.12-1.149.el6_6.5.i686.rpm\nglibc-static-2.12-1.149.el6_6.5.x86_64.rpm\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nglibc-2.17-55.el7_0.5.src.rpm\n\nx86_64:\nglibc-2.17-55.el7_0.5.i686.rpm\nglibc-2.17-55.el7_0.5.x86_64.rpm\nglibc-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-devel-2.17-55.el7_0.5.i686.rpm\nglibc-devel-2.17-55.el7_0.5.x86_64.rpm\nglibc-headers-2.17-55.el7_0.5.x86_64.rpm\nglibc-utils-2.17-55.el7_0.5.x86_64.rpm\nnscd-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-static-2.17-55.el7_0.5.i686.rpm\nglibc-static-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nglibc-2.17-55.el7_0.5.src.rpm\n\nx86_64:\nglibc-2.17-55.el7_0.5.i686.rpm\nglibc-2.17-55.el7_0.5.x86_64.rpm\nglibc-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-devel-2.17-55.el7_0.5.i686.rpm\nglibc-devel-2.17-55.el7_0.5.x86_64.rpm\nglibc-headers-2.17-55.el7_0.5.x86_64.rpm\nglibc-utils-2.17-55.el7_0.5.x86_64.rpm\nnscd-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-static-2.17-55.el7_0.5.i686.rpm\nglibc-static-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nglibc-2.17-55.el7_0.5.src.rpm\n\nppc64:\nglibc-2.17-55.el7_0.5.ppc.rpm\nglibc-2.17-55.el7_0.5.ppc64.rpm\nglibc-common-2.17-55.el7_0.5.ppc64.rpm\nglibc-debuginfo-2.17-55.el7_0.5.ppc.rpm\nglibc-debuginfo-2.17-55.el7_0.5.ppc64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.ppc.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.ppc64.rpm\nglibc-devel-2.17-55.el7_0.5.ppc.rpm\nglibc-devel-2.17-55.el7_0.5.ppc64.rpm\nglibc-headers-2.17-55.el7_0.5.ppc64.rpm\nglibc-utils-2.17-55.el7_0.5.ppc64.rpm\nnscd-2.17-55.el7_0.5.ppc64.rpm\n\ns390x:\nglibc-2.17-55.el7_0.5.s390.rpm\nglibc-2.17-55.el7_0.5.s390x.rpm\nglibc-common-2.17-55.el7_0.5.s390x.rpm\nglibc-debuginfo-2.17-55.el7_0.5.s390.rpm\nglibc-debuginfo-2.17-55.el7_0.5.s390x.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.s390.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.s390x.rpm\nglibc-devel-2.17-55.el7_0.5.s390.rpm\nglibc-devel-2.17-55.el7_0.5.s390x.rpm\nglibc-headers-2.17-55.el7_0.5.s390x.rpm\nglibc-utils-2.17-55.el7_0.5.s390x.rpm\nnscd-2.17-55.el7_0.5.s390x.rpm\n\nx86_64:\nglibc-2.17-55.el7_0.5.i686.rpm\nglibc-2.17-55.el7_0.5.x86_64.rpm\nglibc-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-devel-2.17-55.el7_0.5.i686.rpm\nglibc-devel-2.17-55.el7_0.5.x86_64.rpm\nglibc-headers-2.17-55.el7_0.5.x86_64.rpm\nglibc-utils-2.17-55.el7_0.5.x86_64.rpm\nnscd-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nglibc-debuginfo-2.17-55.el7_0.5.ppc.rpm\nglibc-debuginfo-2.17-55.el7_0.5.ppc64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.ppc.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.ppc64.rpm\nglibc-static-2.17-55.el7_0.5.ppc.rpm\nglibc-static-2.17-55.el7_0.5.ppc64.rpm\n\ns390x:\nglibc-debuginfo-2.17-55.el7_0.5.s390.rpm\nglibc-debuginfo-2.17-55.el7_0.5.s390x.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.s390.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.s390x.rpm\nglibc-static-2.17-55.el7_0.5.s390.rpm\nglibc-static-2.17-55.el7_0.5.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-static-2.17-55.el7_0.5.i686.rpm\nglibc-static-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nglibc-2.17-55.el7_0.5.src.rpm\n\nx86_64:\nglibc-2.17-55.el7_0.5.i686.rpm\nglibc-2.17-55.el7_0.5.x86_64.rpm\nglibc-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-devel-2.17-55.el7_0.5.i686.rpm\nglibc-devel-2.17-55.el7_0.5.x86_64.rpm\nglibc-headers-2.17-55.el7_0.5.x86_64.rpm\nglibc-utils-2.17-55.el7_0.5.x86_64.rpm\nnscd-2.17-55.el7_0.5.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-2.17-55.el7_0.5.x86_64.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.i686.rpm\nglibc-debuginfo-common-2.17-55.el7_0.5.x86_64.rpm\nglibc-static-2.17-55.el7_0.5.i686.rpm\nglibc-static-2.17-55.el7_0.5.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-0235\nhttps://access.redhat.com/security/updates/classification/#critical\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2015 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFUx9bmXlSAg2UNWIIRAjP4AJ9/EPFLyhSuapG8Lie71zPk6VaF8wCfVAw2\nVIBda0hF+i0zAuST73ezXzI=\n=w5UI\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n+--------------------------+\npatches/packages/glibc-2.17-i486-10_slack14.1.txz: Rebuilt. This flaw could allow local or remote attackers to take control\n of a machine running a vulnerable version of glibc. Thanks to Qualys for\n discovering this issue (also known as the GHOST vulnerability.)\n For more information, see:\n https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235\n (* Security fix *)\npatches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz: Rebuilt. \npatches/packages/glibc-profile-2.17-i486-10_slack14.1.txz: Rebuilt. \npatches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz: Rebuilt. \npatches/packages/glibc-zoneinfo-2014j-noarch-1.txz: Upgraded. \n Upgraded to tzcode2014j and tzdata2014j. \n+--------------------------+\n\n\nWhere to find the new packages:\n+-----------------------------+\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you. \n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-i18n-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-profile-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-solibs-2.9-i486-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-i18n-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-profile-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-solibs-2.9-x86_64-7_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-i18n-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-profile-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-solibs-2.11.1-i486-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-i18n-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-profile-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-solibs-2.11.1-x86_64-9_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-i18n-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-profile-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-solibs-2.13-i486-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-i18n-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-profile-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-solibs-2.13-x86_64-8_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-i18n-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-profile-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-solibs-2.15-i486-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-i18n-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-profile-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-solibs-2.15-x86_64-9_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-i18n-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-profile-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-solibs-2.17-i486-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-i18n-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-profile-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-solibs-2.17-x86_64-10_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-zoneinfo-2014j-noarch-1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-solibs-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-zoneinfo-2014j-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-i18n-2.20-i486-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-profile-2.20-i486-2.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-solibs-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-zoneinfo-2014j-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-i18n-2.20-x86_64-2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-profile-2.20-x86_64-2.txz\n\n\nMD5 signatures:\n+-------------+\n\nSlackware 13.0 packages:\n41402c65ebdef4b022c799131556ef7e glibc-2.9-i486-7_slack13.0.txz\n7095e3cd743af0179ea14b9bff81e3f4 glibc-i18n-2.9-i486-7_slack13.0.txz\n901d50b809ed84837ff45b2ca7838bb3 glibc-profile-2.9-i486-7_slack13.0.txz\n421a711b7cf1be2df2421ae5cd50b217 glibc-solibs-2.9-i486-7_slack13.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.0 packages:\nd4266628a8db63751f3f55b8bc2e2162 glibc-2.9-x86_64-7_slack13.0.txz\nb6161a0e23da771c5c6903605e49e403 glibc-i18n-2.9-x86_64-7_slack13.0.txz\nb8026d61e3849cce26539def0b665ca3 glibc-profile-2.9-x86_64-7_slack13.0.txz\n1f7f4cf57d44d75d4ef2786152f33403 glibc-solibs-2.9-x86_64-7_slack13.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 13.1 packages:\n03e0d0224efe8bc794b5be0454612a1e glibc-2.11.1-i486-9_slack13.1.txz\nfabbdd8d7f14667c7a2dc7ede87b5510 glibc-i18n-2.11.1-i486-9_slack13.1.txz\n1c1d86a9dabe329c3d30796188b66ebe glibc-profile-2.11.1-i486-9_slack13.1.txz\ne2ebe08bb02550c69202a6f973ef7e47 glibc-solibs-2.11.1-i486-9_slack13.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.1 packages:\nc00de492a4842e3a86101028e8cc03f0 glibc-2.11.1-x86_64-9_slack13.1.txz\n9657c55f39b233333e48d08acee9ed78 glibc-i18n-2.11.1-x86_64-9_slack13.1.txz\nada2d7f7b7ffdfd7a4407696ad714e48 glibc-profile-2.11.1-x86_64-9_slack13.1.txz\nb3c393e74aafbb5276cea1217dfcd1aa glibc-solibs-2.11.1-x86_64-9_slack13.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 13.37 packages:\n16615e6ef8311b928e3a05e0b7f3e505 glibc-2.13-i486-8_slack13.37.txz\n319dfc0cbdaf8410981195fffb1371c6 glibc-i18n-2.13-i486-8_slack13.37.txz\n6964339495ab981d17ba27cd5878a400 glibc-profile-2.13-i486-8_slack13.37.txz\n1834abd11fab02725e897040bbead56f glibc-solibs-2.13-i486-8_slack13.37.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 13.37 packages:\n1753003d261831ac235445e23a9f9870 glibc-2.13-x86_64-8_slack13.37.txz\n8aa103984bb2cb293072a022dd9144f2 glibc-i18n-2.13-x86_64-8_slack13.37.txz\na56e90a34eec8f60e265c45d05490a57 glibc-profile-2.13-x86_64-8_slack13.37.txz\nc6f684ea049e4091b96d15606eb454d1 glibc-solibs-2.13-x86_64-8_slack13.37.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 14.0 packages:\na2fadb666bfdf5c7c4c9792cbf34785d glibc-2.15-i486-9_slack14.0.txz\n3b3626f4a170a603af36ca60c7840fa6 glibc-i18n-2.15-i486-9_slack14.0.txz\nad237d138bb874e57c4080071d27e798 glibc-profile-2.15-i486-9_slack14.0.txz\nf07d37e52014cec80e43d883eda516ae glibc-solibs-2.15-i486-9_slack14.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 14.0 packages:\na5d02d71a230b6daa39d2ebefd8a6548 glibc-2.15-x86_64-9_slack14.0.txz\n62c30b615e38ba63cafb8053383eabde glibc-i18n-2.15-x86_64-9_slack14.0.txz\n152d094ab6bc4c7f763dd4ad1a53784c glibc-profile-2.15-x86_64-9_slack14.0.txz\nb256163bb179d1aebfda5f45270a0580 glibc-solibs-2.15-x86_64-9_slack14.0.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware 14.1 packages:\n8f2fb91bb39d8a1db3bd6510295e6b1e glibc-2.17-i486-10_slack14.1.txz\n8d179820a827a4dce028b57d3fa39237 glibc-i18n-2.17-i486-10_slack14.1.txz\n19a4824c6ff8792a1166a38ceff824e0 glibc-profile-2.17-i486-10_slack14.1.txz\n417dede2ae464059002b6fcc2048f942 glibc-solibs-2.17-i486-10_slack14.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware x86_64 14.1 packages:\n490ce11a13439e30ff312769cc4fabb1 glibc-2.17-x86_64-10_slack14.1.txz\ncd145e0d6a12b15d5282d7d1b3de92ed glibc-i18n-2.17-x86_64-10_slack14.1.txz\n93aea777dd41dc1c631dce1cf252bf14 glibc-profile-2.17-x86_64-10_slack14.1.txz\n6b759039a5b3f8c88b3753e722ded78e glibc-solibs-2.17-x86_64-10_slack14.1.txz\n61278ba5a904a7474e9b0b64b0daab97 glibc-zoneinfo-2014j-noarch-1.txz\n\nSlackware -current packages:\n395d4ad5fb71c4a56a500c3e51d07c8b a/glibc-solibs-2.20-i486-2.txz\n61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz\n3ca2827446e66d0d2d0e0bc8c55ba1ed l/glibc-2.20-i486-2.txz\n94105b1a10c42ce0995f8ace6b4f06a8 l/glibc-i18n-2.20-i486-2.txz\nfcc2ad4f5aad3a7d704d708a170c5351 l/glibc-profile-2.20-i486-2.txz\n\nSlackware x86_64 -current packages:\n25129dd9dfed8a8e834c87ba40c1ef17 a/glibc-solibs-2.20-x86_64-2.txz\n61278ba5a904a7474e9b0b64b0daab97 a/glibc-zoneinfo-2014j-noarch-1.txz\nb8ff5e308769d8e4eddccd9940058d5c l/glibc-2.20-x86_64-2.txz\n8c3db9286aa93346d25ffad38178137b l/glibc-i18n-2.20-x86_64-2.txz\n21f2a62d975b433f570cd5129cdc21fb l/glibc-profile-2.20-x86_64-2.txz\n\n\nInstallation instructions:\n+------------------------+\n\nUpgrade the packages as root:\n# upgradepkg glibc-*\n\n\n+-----+\n\nSlackware Linux Security Team\nhttp://slackware.com/gpg-key\nsecurity@slackware.com\n\n+------------------------------------------------------------------------+\n| To leave the slackware-security mailing list: |\n+------------------------------------------------------------------------+\n| Send an email to majordomo@slackware.com with this text in the body of |\n| the email message: |\n| |\n| unsubscribe slackware-security |\n| |\n| You will get a confirmation message back containing instructions to |\n| complete the process. Please do not reply to this email address. SEC Consult Vulnerability Lab Security Advisory \u003c 20210901-0 \u003e\n=======================================================================\n title: Multiple vulnerabilities\n product: see \"Vulnerable / tested versions\"\n vulnerable version: see \"Vulnerable / tested versions\"\n fixed version: see \"Solution\"\n CVE number: CVE-2021-39278, CVE-2021-39279\n impact: High\n homepage: https://www.moxa.com/\n found: 2020-08-31\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"Together, We Create Change\n\nMoxa is committed to making a positive impact around the world. We put our all\nbehind this commitment--from our employees, to our products and supply chain. \n\nIn our local communities, we nurture and support the spirit of volunteering. \nWe encourage our employees to contribute to community development, with an\nemphasis on ecology, education, and health. \n\nIn our products, we invest in social awareness programs and\nenvironment-friendly policies at every stage of the product lifecycle. We make\nsure our manufacturing meets the highest standards with regards to quality,\nethics, and sustainability.\"\n\nSource: https://www.moxa.com/en/about-us/corporate-responsibility\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends to immediately apply the available patches\nfrom the vendor. A thorough security review should be performed by\nsecurity professionals to identify further potential security issues. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Authenticated Command Injection (CVE-2021-39279)\nAn authenticated command injection vulnerability can be triggered by issuing a\nGET request to the \"/forms/web_importTFTP\" CGI program which is available on\nthe web interface. An attacker can abuse this vulnerability to compromise the\noperating system of the device. This issue was found by emulating the firmware\nof the device. \n\n2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278)\nVia a crafted config-file, a reflected cross-site scripting vulnerability can\nbe exploited in the context of the victim\u0027s browser. This config-file can be\nuploaded to the device via the \"Config Import Export\" tab in the main menu. One of the discovered vulnerabilities (CVE-2015-0235,\ngethostbyname \"GHOST\" buffer overflow) was verified by using the MEDUSA\nscalable firmware runtime. \n\n4) Multiple Outdated Software Components\nMultiple outdated software components containing vulnerabilities were found by\nthe IoT Inspector. \n\nThe vulnerabilities 1), 2) and 3) were manually verified on an emulated device\nby using the MEDUSA scalable firmware runtime. \n\nProof of concept:\n-----------------\n1) Authenticated Command Injection (CVE-2021-39279)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"-\u003e\"Maintenance\"-\u003e\"Config Import Export\"\n\nThe \"TFTP Import\" menu is prone to command injection via all parameters. To\nexploit the vulnerability, an IP address, a configuration path and a filename\nmust be set. \nIf the filename is used to trigger the exploit, the payload in the interceptor\nproxy would be:\n\nhttp://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1\u0026configPath=/\u0026fileName=name|`ping localhost -c 100`\n\n\n2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"-\u003e\"Maintenance\"-\u003e\"Config Import Export\"\n\nThe \"Config Import\" menu is prone to reflected cross-site scripting via the\nupload of config files. Example of malicious config file:\n-------------------------------------------------------------------------------\n[board]\ndeviceName=\"WAC-2004_0000\u003c/span\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\ndeviceLocation=\"\"\n[..]\n-------------------------------------------------------------------------------\nUploading such a crafted file triggers cross-site scripting as the erroneous\nvalue is displayed without filtering characters. \n\nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the\nhelp of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was\ncompiled and executed on the emulated device to test the system. \n\n\n4) Multiple Outdated Software Components\nThe IoT Inspector recognized multiple outdated software components with known\nvulnerabilities:\n\nBusyBox 1.18.5 06/2011\nDropbear SSH 2011.54 11/2011\nGNU glibc 2.9 02/2009\nLinux Kernel 2.6.27 10/2008\nOpenSSL 0.9.7g 04/2005\nOnly found in the program \"iw_director\"\nOpenSSL 1.0.0 03/2010\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions for various devices have been identified\nto be vulnerable:\n* WAC-2004 / 1.7\n* WAC-1001 / 2.1\n* WAC-1001-T / 2.1\n* OnCell G3470A-LTE-EU / 1.7\n* OnCell G3470A-LTE-EU-T / 1.7\n* TAP-323-EU-CT-T / 1.3\n* TAP-323-US-CT-T / 1.3\n* TAP-323-JP-CT-T / 1.3\n* WDR-3124A-EU / 2.3\n* WDR-3124A-EU-T / 2.3\n* WDR-3124A-US / 2.3\n* WDR-3124A-US-T / 2.3\n\n\nVendor contact timeline:\n------------------------\n2020-10-09: Contacting vendor through moxa.csrt@moxa.com. \n2020-10-12: Contact sends PGP key for encrypted communication and asks for the\n detailed advisory. Sent encrypted advisory to vendor. \n2020-11-06: Status update from vendor regarding technical analysis. Vendor\n requested more time for fixing the vulnerabilities as more products\n are affected. \n2020-11-09: Granted more time for fixing to vendor. \n2020-11-10: Vendor asked for next steps regarding the advisory publication. \n2020-11-11: Asked vendor for an estimation when a public disclosure is possible. \n2020-11-16: Vendor responded that the product team can give a rough feedback. \n2020-11-25: Asked for a status update. \n2020-11-25: Vendor responded that the investigation is not done yet. \n2020-12-14: Vendor provided a list of potential affected devices and stated\n that full investigation may take until January 2021 due to the list\n of CVEs that were provided with the appended IoT Inspector report. \n The patches may be available until June 2021. \n2020-12-15: Shifted next status update round with vendor on May 2021. \n2020-12-23: Vendor provided full list of affected devices. \n2021-02-05: Vendor sieved out the found issues from 4) manually and provided a\n full list of confirmed vulnerabilities. WAC-2004 phased-out in\n 2019. \n2021-02-21: Confirmed receive of vulnerabilities, next status update in May\n 2021. \n2021-06-10: Asking for an update. \n2021-06-15: Vendor stated, that the update will be provided in the next days. \n2021-06-21: Vendor will give an update in the next week as Covid gets worse in\n Taiwan. \n2021-06-23: Vendor stated, that patches are under development. Vendor needs more\n time to finish the patches. \n2021-06-24: Set release date to 2021-09-01. \n2021-07-02: Vendor provides status updates. \n2021-08-16: Vendor provides status updates. \n2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. \n2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. \n2021-08-31: Vendor provides fixed firmware version numbers and the advisory\n links. \n2021-09-01: Coordinated release of security advisory. \n\nSolution:\n---------\nAccording to the vendor the following patches must be applied to fix issues:\n* WAC-1001 / 2.1.5\n* WAC-1001-T / 2.1.5\n* OnCell G3470A-LTE-EU / 1.7.4\n* OnCell G3470A-LTE-EU-T / 1.7.4\n* TAP-323-EU-CT-T / 1.8.1\n* TAP-323-US-CT-T / 1.8.1\n* TAP-323-JP-CT-T / 1.8.1\n\nThe Moxa Technical Support must be contacted for requesting the security\npatches. \n\nThe corresponding security advisories for the affected devices are available on\nthe vendor\u0027s website:\nTAP-323/WAC-1001/WAC-2004\nhttps://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities\nOnCell G3470A-LTE/WDR-3124A\nhttps://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities\n\nThe following device models are EOL and should be replaced:\n* WAC-2004\n* WDR-3124A-EU\n* WDR-3124A-EU-T\n* WDR-3124A-US\n* WDR-3124A-US-T\n\n\nWorkaround:\n-----------\nNone. \n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult, an Atos company\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nAtos company. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF Thomas Weber / @2021\n\n. If Apache was manually enabled and the configuration\nwas not changed, some files that should not be accessible might have\nbeen accessible using a specially crafted URL. This issue was addressed through the\naddition of a mechanism to trust only a subset of certificates issued\nprior to the mis-issuance of the intermediate. This\nissue, also known as Logjam, allowed an attacker with a privileged\nnetwork position to downgrade security to 512-bit DH if the server\nsupported an export-strength ephemeral DH cipher suite. The issue was\naddressed by increasing the default minimum size allowed for DH\nephemeral keys to 768 bits. \nCVE-ID\nCVE-2015-3695 : Ian Beer of Google Project Zero\nCVE-2015-3696 : Ian Beer of Google Project Zero\nCVE-2015-3697 : Ian Beer of Google Project Zero\nCVE-2015-3698 : Ian Beer of Google Project Zero\nCVE-2015-3699 : Ian Beer of Google Project Zero\nCVE-2015-3700 : Ian Beer of Google Project Zero\nCVE-2015-3701 : Ian Beer of Google Project Zero\nCVE-2015-3702 : KEEN Team\n\nImageIO\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\nOS X Yosemite v10.10 to v10.10.3\nImpact: Multiple vulnerabilities existed in libtiff, the most\nserious of which may lead to arbitrary code execution\nDescription: Multiple vulnerabilities existed in libtiff versions\nprior to 4.0.4. \nCVE-ID\nCVE-2015-3661 : G. Geshev working with HP\u0027s Zero Day Initiative\nCVE-2015-3662 : kdot working with HP\u0027s Zero Day Initiative\nCVE-2015-3663 : kdot working with HP\u0027s Zero Day Initiative\nCVE-2015-3666 : Steven Seeley of Source Incite working with HP\u0027s Zero\nDay Initiative\nCVE-2015-3667 : Ryan Pentney, Richard Johnson of Cisco Talos and Kai\nLu of Fortinet\u0027s FortiGuard Labs, Ryan Pentney, and Richard Johnson\nof Cisco Talos and Kai Lu of Fortinet\u0027s FortiGuard Labs\nCVE-2015-3668 : Kai Lu of Fortinet\u0027s FortiGuard Labs\nCVE-2015-3713 : Apple\n\nSecurity\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\nOS X Yosemite v10.10 to v10.10.3\nImpact: A remote attacker may cause an unexpected application\ntermination or arbitrary code execution\nDescription: An integer overflow existed in the Security framework\ncode for parsing S/MIME e-mail and some other signed or encrypted\nobjects. \nCVE-ID\nCVE-2013-1741\n\nSecurity\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\nOS X Yosemite v10.10 to v10.10.3\nImpact: Tampered applications may not be prevented from launching\nDescription: Apps using custom resource rules may have been\nsusceptible to tampering that would not have invalidated the\nsignature",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-0235"
},
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "BID",
"id": "72325"
},
{
"db": "VULHUB",
"id": "VHN-78181"
},
{
"db": "PACKETSTORM",
"id": "134055"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "PACKETSTORM",
"id": "130987"
},
{
"db": "PACKETSTORM",
"id": "130098"
},
{
"db": "PACKETSTORM",
"id": "130333"
},
{
"db": "PACKETSTORM",
"id": "130114"
},
{
"db": "PACKETSTORM",
"id": "130163"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "PACKETSTORM",
"id": "132518"
}
],
"trust": 3.6
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.kb.cert.org/vuls/id/967332",
"trust": 0.8,
"type": "poc"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-78181",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "VULHUB",
"id": "VHN-78181"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2015-0235",
"trust": 4.6
},
{
"db": "BID",
"id": "72325",
"trust": 2.0
},
{
"db": "JUNIPER",
"id": "JSA10671",
"trust": 2.0
},
{
"db": "PACKETSTORM",
"id": "164014",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "153278",
"trust": 1.8
},
{
"db": "BID",
"id": "91787",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "167552",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "130974",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "130768",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "130171",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62883",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62690",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62871",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62680",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62517",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62640",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62715",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62812",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62667",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62879",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62813",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62698",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62681",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62692",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62758",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62870",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62816",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62691",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62688",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "62865",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1032909",
"trust": 1.7
},
{
"db": "MCAFEE",
"id": "SB10100",
"trust": 1.7
},
{
"db": "SIEMENS",
"id": "SSA-994726",
"trust": 1.7
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/05/04/7",
"trust": 1.7
},
{
"db": "CERT/CC",
"id": "VU#967332",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2015/01/27/9",
"trust": 0.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2013/09/17/4",
"trust": 0.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2015/01/28/18",
"trust": 0.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2015/01/29/21",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658",
"trust": 0.7
},
{
"db": "CXSECURITY",
"id": "WLB-2022060049",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-15-064-01",
"trust": 0.3
},
{
"db": "PACKETSTORM",
"id": "130114",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "130163",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "130333",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "131867",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130115",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "131214",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134196",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130216",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130100",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130134",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130135",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130099",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "36421",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "35951",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-89237",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-78181",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134055",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133803",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130987",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130098",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132518",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "VULHUB",
"id": "VHN-78181"
},
{
"db": "BID",
"id": "72325"
},
{
"db": "PACKETSTORM",
"id": "134055"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "PACKETSTORM",
"id": "130987"
},
{
"db": "PACKETSTORM",
"id": "130098"
},
{
"db": "PACKETSTORM",
"id": "130333"
},
{
"db": "PACKETSTORM",
"id": "130114"
},
{
"db": "PACKETSTORM",
"id": "130163"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "PACKETSTORM",
"id": "132518"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "NVD",
"id": "CVE-2015-0235"
}
]
},
"id": "VAR-201501-0737",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-78181"
}
],
"trust": 0.507738211
},
"last_update_date": "2026-03-09T21:40:09.204000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.eglibc.org/home"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "https://getfedora.org/en/"
},
{
"title": "SUSE-SU-2014:1129-1",
"trust": 0.8,
"url": "https://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html"
},
{
"title": "CVE-2013-4357",
"trust": 0.8,
"url": "https://security-tracker.debian.org/tracker/CVE-2013-4357"
},
{
"title": "USN-2306-1",
"trust": 0.8,
"url": "https://usn.ubuntu.com/2306-1/"
},
{
"title": "USN-2306-2",
"trust": 0.8,
"url": "https://usn.ubuntu.com/2306-2/"
},
{
"title": "USN-2306-3",
"trust": 0.8,
"url": "https://usn.ubuntu.com/2306-3/"
},
{
"title": "glibc-2.18",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53554"
},
{
"title": "glibc-2.18",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53556"
},
{
"title": "glibc-2.18",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53555"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
},
{
"problemtype": "CWE-120",
"trust": 0.8
},
{
"problemtype": "CWE-119",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-78181"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "NVD",
"id": "CVE-2015-0235"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.6,
"url": "https://www.qualys.com/research/security-advisories/ghost-cve-2015-0235.txt"
},
{
"trust": 2.3,
"url": "http://www.debian.org/security/2015/dsa-3142"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/130171/exim-esmtp-ghost-denial-of-service.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/130768/emc-secure-remote-services-ghost-sql-injection-command-injection.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/130974/exim-ghost-glibc-gethostbyname-buffer-overflow.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/153278/wago-852-industrial-managed-switch-series-code-execution-hardcoded-credentials.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/164014/moxa-command-injection-cross-site-scripting-vulnerable-software.html"
},
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/167552/nexans-ftto-gigaswitch-outdated-components-hardcoded-backdoor.html"
},
{
"trust": 2.0,
"url": "http://seclists.org/oss-sec/2015/q1/274"
},
{
"trust": 2.0,
"url": "http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150128-ghost"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695695"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695774"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695835"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695860"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696131"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696243"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696526"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696600"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696602"
},
{
"trust": 2.0,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696618"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
},
{
"trust": 2.0,
"url": "https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2015/jun/msg00002.html"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00008.html"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2015/oct/msg00005.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/72325"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/91787"
},
{
"trust": 1.7,
"url": "http://seclists.org/oss-sec/2015/q1/269"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/archive/1/534845/100/0/threaded"
},
{
"trust": 1.7,
"url": "https://seclists.org/bugtraq/2019/jun/14"
},
{
"trust": 1.7,
"url": "http://blogs.sophos.com/2015/01/29/sophos-products-and-the-ghost-vulnerability-affecting-linux/"
},
{
"trust": 1.7,
"url": "http://linux.oracle.com/errata/elsa-2015-0090.html"
},
{
"trust": 1.7,
"url": "http://linux.oracle.com/errata/elsa-2015-0092.html"
},
{
"trust": 1.7,
"url": "http://support.apple.com/kb/ht204942"
},
{
"trust": 1.7,
"url": "http://www.idirect.net/partners/~/media/files/cve/idirect-posted-common-vulnerabilities-and-exposures.pdf"
},
{
"trust": 1.7,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"trust": 1.7,
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
},
{
"trust": 1.7,
"url": "http://www.websense.com/support/article/kbarticle/vulnerabilities-resolved-in-triton-apx-version-8-0"
},
{
"trust": 1.7,
"url": "https://bto.bluecoat.com/security-advisory/sa90"
},
{
"trust": 1.7,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-994726.pdf"
},
{
"trust": 1.7,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04874668"
},
{
"trust": 1.7,
"url": "https://help.ecostruxureit.com/display/public/uadco8x/struxureware+data+center+operation+software+vulnerability+fixes"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20150127-0001/"
},
{
"trust": 1.7,
"url": "https://support.apple.com/ht205267"
},
{
"trust": 1.7,
"url": "https://support.apple.com/ht205375"
},
{
"trust": 1.7,
"url": "https://www.f-secure.com/en/web/labs_global/fsc-2015-1"
},
{
"trust": 1.7,
"url": "https://www.sophos.com/en-us/support/knowledgebase/121879.aspx"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/jan/111"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2019/jun/18"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2021/sep/0"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/jun/36"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/201503-04"
},
{
"trust": 1.7,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:039"
},
{
"trust": 1.7,
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1053-security-advisory-9"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/05/04/7"
},
{
"trust": 1.7,
"url": "http://rhn.redhat.com/errata/rhsa-2015-0126.html"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1032909"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62517"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62640"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62667"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62680"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62681"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62688"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62690"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62691"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62692"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62698"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62715"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62758"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62812"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62813"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62816"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62865"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62870"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62871"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62879"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/62883"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=142781412222323\u0026w=2"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=142722450701342\u0026w=2"
},
{
"trust": 1.6,
"url": "https://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10671"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=143145428124857\u0026w=2"
},
{
"trust": 1.6,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10100"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=142296726407499\u0026w=2"
},
{
"trust": 1.6,
"url": "http://marc.info/?l=bugtraq\u0026m=142721102728110\u0026w=2"
},
{
"trust": 1.1,
"url": "http://lists.suse.com/pipermail/sle-security-updates/2015-january/001186.html"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0235"
},
{
"trust": 0.8,
"url": "http://www.openwall.com/lists/oss-security/2015/01/27/9"
},
{
"trust": 0.8,
"url": "https://security-tracker.debian.org/tracker/cve-2015-0235"
},
{
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2015-0099.html"
},
{
"trust": 0.8,
"url": "http://www.slackware.com/security/list.php?l=slackware-security\u0026y=2015"
},
{
"trust": 0.8,
"url": "https://wiki.ubuntu.com/securityteam/knowledgebase/ghost"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4357"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4357"
},
{
"trust": 0.8,
"url": "https://www.openwall.com/lists/oss-security/2013/09/17/4"
},
{
"trust": 0.8,
"url": "http://www.openwall.com/lists/oss-security/2015/01/28/18"
},
{
"trust": 0.8,
"url": "http://www.openwall.com/lists/oss-security/2015/01/29/21"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2022060049"
},
{
"trust": 0.3,
"url": "http://support.novell.com/security/cve/cve-2015-0235.html"
},
{
"trust": 0.3,
"url": "https://securityadvisories.paloaltonetworks.com/home/detail/29?aspxautodetectcookiesupport=1"
},
{
"trust": 0.3,
"url": "http://www.gnu.org/software/libc/"
},
{
"trust": 0.3,
"url": "http://www.pexip.com/sites/pexip/files/pexip_security_bulletin_2015-01-30.pdf"
},
{
"trust": 0.3,
"url": "https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16057.html"
},
{
"trust": 0.3,
"url": "http://www.splunk.com/view/sp-caaanvj"
},
{
"trust": 0.3,
"url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=\u0026solutionid=sk104443"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04560440"
},
{
"trust": 0.3,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10671\u0026cat=sirt_1\u0026actp=list"
},
{
"trust": 0.3,
"url": "http://www.fortiguard.com/advisory/fg-ir-15-001/"
},
{
"trust": 0.3,
"url": "https://downloads.avaya.com/css/p8/documents/101006702"
},
{
"trust": 0.3,
"url": "https://downloads.avaya.com/css/p8/documents/101006704"
},
{
"trust": 0.3,
"url": "https://downloads.avaya.com/css/p8/documents/101006705"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5097203"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04577814"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04589512"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/nov/14"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04602055"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04599861"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04674742"
},
{
"trust": 0.3,
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00000.html"
},
{
"trust": 0.3,
"url": "https://www.xerox.com/download/security/security-bulletin/2f11f-5117bc2506e9f/cert_security_mini_bulletin_xrx15j_for_connectkey_1.5_r15-02_v1-1.pdf"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/mar/48"
},
{
"trust": 0.3,
"url": "https://securityadvisories.paloaltonetworks.com/home/detail/29"
},
{
"trust": 0.3,
"url": "http://supportdocs.polycom.com/polycomservice/support/global/documents/support/documentation/security_advisory_ghost_v_2_0.pdf"
},
{
"trust": 0.3,
"url": "https://www.alienvault.com/forums/discussion/4475/security-advisory-alienvault-v4-15-1-addresses-twenty-20-vulnerabilities"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005056"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696466"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696640"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098317"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5097331"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005064"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696204"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696630"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697192"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695967"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1022050"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695859"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696461"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5097163"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005172"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5097332"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697268"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005063"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005062"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005122"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696416"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1020559"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1022015"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005068"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695947"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21697250"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21698044"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695637"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21696066"
},
{
"trust": 0.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-15-064-01"
},
{
"trust": 0.3,
"url": "http://www.kb.cert.org/vuls/id/967332"
},
{
"trust": 0.3,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.3,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.3,
"url": "http://gpgtools.org"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0273"
},
{
"trust": 0.2,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0287"
},
{
"trust": 0.2,
"url": "https://support.apple.com/en-"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0286"
},
{
"trust": 0.2,
"url": "https://seclists.org/oss-sec/2015/q1/274."
},
{
"trust": 0.2,
"url": "https://www.sec-consult.com"
},
{
"trust": 0.2,
"url": "https://twitter.com/sec_consult"
},
{
"trust": 0.2,
"url": "http://blog.sec-consult.com"
},
{
"trust": 0.2,
"url": "http://www.debian.org/security/"
},
{
"trust": 0.2,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0235"
},
{
"trust": 0.2,
"url": "https://rhn.redhat.com/errata/rhsa-2015-0092.html"
},
{
"trust": 0.1,
"url": "https://kb.juniper.net/infocenter/index?page=content\u0026amp;id=jsa10671"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10100"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=142296726407499\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=142781412222323\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=142722450701342\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=142721102728110\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "http://marc.info/?l=bugtraq\u0026amp;m=143145428124857\u0026amp;w=2"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5925"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5936"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6836"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5943"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5924"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5945"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6834"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5935"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5944"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5942"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6837"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5940"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5927"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5933"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5939"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht205377"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5934"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6835"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6838"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6563"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-6151"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6974"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5926"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5937"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5932"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8146"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0231"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8080"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2331"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7187"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1351"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8090"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9705"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1352"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3951"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8147"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0232"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2301"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht205265."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8611"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9427"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1855"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2305"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9425"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7186"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3618"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9709"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-6277"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-2532"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9652"
},
{
"trust": 0.1,
"url": "https://www.tencent.com)"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-0296"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6301"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1472"
},
{
"trust": 0.1,
"url": "http://www.wago.us/wago/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-2716"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/career/index.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-4412"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9402"
},
{
"trust": 0.1,
"url": "https://www.wago.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-5325"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-9261"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2147"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-3856"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9984"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9761"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-4043"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1813"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12550"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2148"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/contact/index.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3571"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3572"
},
{
"trust": 0.1,
"url": "http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0204"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe"
},
{
"trust": 0.1,
"url": "http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0205"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3570"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8275"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3569"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0206"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-6040"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-6656"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7817"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/advisories/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-0235"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "http://slackware.com"
},
{
"trust": 0.1,
"url": "http://osuosl.org)"
},
{
"trust": 0.1,
"url": "http://slackware.com/gpg-key"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39278"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/about-us/corporate-responsibility"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7423"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/vulnerability-lab/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1234"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7547"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39279"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1914"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/career/"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/forms/web_importtftp?servip=192.168.1.1\u0026configpath=/\u0026filename=name|`ping"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0288"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3673"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8140"
},
{
"trust": 0.1,
"url": "http://support.apple.com/kb/ht1222"
},
{
"trust": 0.1,
"url": "https://support.apple.com/en-us/ht204938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3672"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0209"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8127"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0289"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3661"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3671"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1741"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8128"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8130"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3662"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8129"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1157"
},
{
"trust": 0.1,
"url": "https://support.apple.com/en-us/ht204950"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3663"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3668"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0293"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1799"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3666"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1798"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3667"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
},
{
"db": "VULHUB",
"id": "VHN-78181"
},
{
"db": "BID",
"id": "72325"
},
{
"db": "PACKETSTORM",
"id": "134055"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "153278"
},
{
"db": "PACKETSTORM",
"id": "130987"
},
{
"db": "PACKETSTORM",
"id": "130098"
},
{
"db": "PACKETSTORM",
"id": "130333"
},
{
"db": "PACKETSTORM",
"id": "130114"
},
{
"db": "PACKETSTORM",
"id": "130163"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "PACKETSTORM",
"id": "132518"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061"
},
{
"db": "NVD",
"id": "CVE-2015-0235"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CERT/CC",
"id": "VU#967332",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-78181",
"ident": null
},
{
"db": "BID",
"id": "72325",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "134055",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "133803",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "153278",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "130987",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "130098",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "130333",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "130114",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "130163",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164014",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "132518",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007061",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2015-0235",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2015-01-28T00:00:00",
"db": "CERT/CC",
"id": "VU#967332",
"ident": null
},
{
"date": "2015-01-28T00:00:00",
"db": "VULHUB",
"id": "VHN-78181",
"ident": null
},
{
"date": "2015-01-27T00:00:00",
"db": "BID",
"id": "72325",
"ident": null
},
{
"date": "2015-10-21T19:32:22",
"db": "PACKETSTORM",
"id": "134055",
"ident": null
},
{
"date": "2015-10-01T16:33:47",
"db": "PACKETSTORM",
"id": "133803",
"ident": null
},
{
"date": "2019-06-13T19:33:38",
"db": "PACKETSTORM",
"id": "153278",
"ident": null
},
{
"date": "2015-03-24T17:05:09",
"db": "PACKETSTORM",
"id": "130987",
"ident": null
},
{
"date": "2015-01-27T18:04:25",
"db": "PACKETSTORM",
"id": "130098",
"ident": null
},
{
"date": "2015-02-10T17:42:58",
"db": "PACKETSTORM",
"id": "130333",
"ident": null
},
{
"date": "2015-01-27T19:35:59",
"db": "PACKETSTORM",
"id": "130114",
"ident": null
},
{
"date": "2015-01-29T18:21:00",
"db": "PACKETSTORM",
"id": "130163",
"ident": null
},
{
"date": "2021-09-01T15:42:52",
"db": "PACKETSTORM",
"id": "164014",
"ident": null
},
{
"date": "2015-07-01T05:31:53",
"db": "PACKETSTORM",
"id": "132518",
"ident": null
},
{
"date": "2015-01-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201501-658",
"ident": null
},
{
"date": "2020-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007061",
"ident": null
},
{
"date": "2015-01-28T19:59:00.063000",
"db": "NVD",
"id": "CVE-2015-0235",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2015-10-22T00:00:00",
"db": "CERT/CC",
"id": "VU#967332",
"ident": null
},
{
"date": "2021-11-17T00:00:00",
"db": "VULHUB",
"id": "VHN-78181",
"ident": null
},
{
"date": "2018-10-17T06:00:00",
"db": "BID",
"id": "72325",
"ident": null
},
{
"date": "2022-06-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201501-658",
"ident": null
},
{
"date": "2020-01-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007061",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-0235",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "130114"
},
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow",
"sources": [
{
"db": "CERT/CC",
"id": "VU#967332"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201501-658"
}
],
"trust": 0.6
}
}
VAR-201509-0438
Vulnerability from variot - Updated: 2026-03-09 20:00Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer. GNU glibc is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts may crash the application, denying service to legitimate users.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781 https://rhn.redhat.com/errata/RHSA-2015-0863.html
Updated Packages:
Mandriva Business Server 1/X86_64: 92aa475c44c712eaf19898ef76e04183 mbs1/x86_64/glibc-2.14.1-12.12.mbs1.x86_64.rpm 606cdd33e041f9853eae18f53c9d73de mbs1/x86_64/glibc-devel-2.14.1-12.12.mbs1.x86_64.rpm 133deb850840d464335e5c659cba1627 mbs1/x86_64/glibc-doc-2.14.1-12.12.mbs1.noarch.rpm 7a3d5170647c52cd4a34d2dcda711397 mbs1/x86_64/glibc-doc-pdf-2.14.1-12.12.mbs1.noarch.rpm 96c842afb6110ac18a40b843b51548fc mbs1/x86_64/glibc-i18ndata-2.14.1-12.12.mbs1.x86_64.rpm 703e73278d416a53096fe19c7652c95e mbs1/x86_64/glibc-profile-2.14.1-12.12.mbs1.x86_64.rpm 12f09ed16d9c4b0f9a94e931569dacc3 mbs1/x86_64/glibc-static-devel-2.14.1-12.12.mbs1.x86_64.rpm 09715361d0af4a4dd5fba44239c5e690 mbs1/x86_64/glibc-utils-2.14.1-12.12.mbs1.x86_64.rpm c9a293ac29070d215eb1988bba58aaec mbs1/x86_64/nscd-2.14.1-12.12.mbs1.x86_64.rpm 8d8b74de2d7c0e982e0ad82ac73091b2 mbs1/SRPMS/glibc-2.14.1-12.12.mbs1.src.rpm
Mandriva Business Server 2/X86_64: e59cee8712d211add638c1b6c1952fa6 mbs2/x86_64/glibc-2.18-10.2.mbs2.x86_64.rpm baf9e44f8c4f82c75a0154d44b6fce72 mbs2/x86_64/glibc-devel-2.18-10.2.mbs2.x86_64.rpm f3eb6e3ed435f8a06dcffbfa7a44525b mbs2/x86_64/glibc-doc-2.18-10.2.mbs2.noarch.rpm 5df45f7cae82ef7d354fa14c7ac363c9 mbs2/x86_64/glibc-i18ndata-2.18-10.2.mbs2.x86_64.rpm 24ef48d58c7a4114068e7b70dbefad79 mbs2/x86_64/glibc-profile-2.18-10.2.mbs2.x86_64.rpm 5f67c12f02dbc3f4cbf78f1a8c7d5ad5 mbs2/x86_64/glibc-static-devel-2.18-10.2.mbs2.x86_64.rpm f24e67e1ed1b01e5305c28b3a9b02852 mbs2/x86_64/glibc-utils-2.18-10.2.mbs2.x86_64.rpm bae4b399bc43be8af24ddd93257ca31a mbs2/x86_64/nscd-2.18-10.2.mbs2.x86_64.rpm 740d9b3d14292be8847da92243340b62 mbs2/SRPMS/glibc-2.18-10.2.mbs2.src.rpm
To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: glibc security, bug fix, and enhancement update Advisory ID: RHSA-2015:2199-07 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2199.html Issue date: 2015-11-19 CVE Names: CVE-2013-7423 CVE-2015-1472 CVE-2015-1473 CVE-2015-1781 =====================================================================
- Summary:
Updated glibc packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. (CVE-2013-7423)
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. (CVE-2015-1781)
A heap-based buffer overflow flaw and a stack overflow flaw were found in glibc's swscanf() function. (CVE-2015-1472, CVE-2015-1473)
An integer overflow flaw, leading to a heap-based buffer overflow, was found in glibc's _IO_wstr_overflow() function. (BZ#1195762)
A flaw was found in the way glibc's fnmatch() function processed certain malformed patterns. An attacker able to make an application call this function could use this flaw to crash that application. (BZ#1197730)
The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat.
These updated glibc packages also include numerous bug fixes and one enhancement. Space precludes documenting all of these changes in this advisory. For information on the most significant of these changes, users are directed to the following article on the Red Hat Customer Portal:
https://access.redhat.com/articles/2050743
All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1064066 - Test suite failure: test-ldouble 1098042 - getaddrinfo return EAI_NONAME instead of EAI_AGAIN in case the DNS query times out 1144133 - calloc in dl-reloc.c computes size incorrectly 1187109 - CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load 1188235 - CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf 1195762 - glibc: _IO_wstr_overflow integer overflow 1197730 - glibc: potential denial of service in internal_fnmatch() 1199525 - CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer 1207032 - glibc deadlock when printing backtrace from memory allocator 1209105 - CVE-2015-1473 glibc: Stack-overflow in glibc swscanf 1219891 - Missing define for TCP_USER_TIMEOUT in netinet/tcp.h 1225490 - [RFE] Unconditionally enable SDT probes in glibc builds.
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: glibc-2.17-105.el7.src.rpm
x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: glibc-2.17-105.el7.src.rpm
x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: glibc-2.17-105.el7.src.rpm
aarch64: glibc-2.17-105.el7.aarch64.rpm glibc-common-2.17-105.el7.aarch64.rpm glibc-debuginfo-2.17-105.el7.aarch64.rpm glibc-devel-2.17-105.el7.aarch64.rpm glibc-headers-2.17-105.el7.aarch64.rpm glibc-utils-2.17-105.el7.aarch64.rpm nscd-2.17-105.el7.aarch64.rpm
ppc64: glibc-2.17-105.el7.ppc.rpm glibc-2.17-105.el7.ppc64.rpm glibc-common-2.17-105.el7.ppc64.rpm glibc-debuginfo-2.17-105.el7.ppc.rpm glibc-debuginfo-2.17-105.el7.ppc64.rpm glibc-debuginfo-common-2.17-105.el7.ppc.rpm glibc-debuginfo-common-2.17-105.el7.ppc64.rpm glibc-devel-2.17-105.el7.ppc.rpm glibc-devel-2.17-105.el7.ppc64.rpm glibc-headers-2.17-105.el7.ppc64.rpm glibc-utils-2.17-105.el7.ppc64.rpm nscd-2.17-105.el7.ppc64.rpm
ppc64le: glibc-2.17-105.el7.ppc64le.rpm glibc-common-2.17-105.el7.ppc64le.rpm glibc-debuginfo-2.17-105.el7.ppc64le.rpm glibc-debuginfo-common-2.17-105.el7.ppc64le.rpm glibc-devel-2.17-105.el7.ppc64le.rpm glibc-headers-2.17-105.el7.ppc64le.rpm glibc-utils-2.17-105.el7.ppc64le.rpm nscd-2.17-105.el7.ppc64le.rpm
s390x: glibc-2.17-105.el7.s390.rpm glibc-2.17-105.el7.s390x.rpm glibc-common-2.17-105.el7.s390x.rpm glibc-debuginfo-2.17-105.el7.s390.rpm glibc-debuginfo-2.17-105.el7.s390x.rpm glibc-debuginfo-common-2.17-105.el7.s390.rpm glibc-debuginfo-common-2.17-105.el7.s390x.rpm glibc-devel-2.17-105.el7.s390.rpm glibc-devel-2.17-105.el7.s390x.rpm glibc-headers-2.17-105.el7.s390x.rpm glibc-utils-2.17-105.el7.s390x.rpm nscd-2.17-105.el7.s390x.rpm
x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64: glibc-debuginfo-2.17-105.el7.aarch64.rpm glibc-static-2.17-105.el7.aarch64.rpm
ppc64: glibc-debuginfo-2.17-105.el7.ppc.rpm glibc-debuginfo-2.17-105.el7.ppc64.rpm glibc-debuginfo-common-2.17-105.el7.ppc.rpm glibc-debuginfo-common-2.17-105.el7.ppc64.rpm glibc-static-2.17-105.el7.ppc.rpm glibc-static-2.17-105.el7.ppc64.rpm
ppc64le: glibc-debuginfo-2.17-105.el7.ppc64le.rpm glibc-debuginfo-common-2.17-105.el7.ppc64le.rpm glibc-static-2.17-105.el7.ppc64le.rpm
s390x: glibc-debuginfo-2.17-105.el7.s390.rpm glibc-debuginfo-2.17-105.el7.s390x.rpm glibc-debuginfo-common-2.17-105.el7.s390.rpm glibc-debuginfo-common-2.17-105.el7.s390x.rpm glibc-static-2.17-105.el7.s390.rpm glibc-static-2.17-105.el7.s390x.rpm
x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: glibc-2.17-105.el7.src.rpm
x86_64: glibc-2.17-105.el7.i686.rpm glibc-2.17-105.el7.x86_64.rpm glibc-common-2.17-105.el7.x86_64.rpm glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-devel-2.17-105.el7.i686.rpm glibc-devel-2.17-105.el7.x86_64.rpm glibc-headers-2.17-105.el7.x86_64.rpm glibc-utils-2.17-105.el7.x86_64.rpm nscd-2.17-105.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: glibc-debuginfo-2.17-105.el7.i686.rpm glibc-debuginfo-2.17-105.el7.x86_64.rpm glibc-debuginfo-common-2.17-105.el7.i686.rpm glibc-debuginfo-common-2.17-105.el7.x86_64.rpm glibc-static-2.17-105.el7.i686.rpm glibc-static-2.17-105.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2013-7423 https://access.redhat.com/security/cve/CVE-2015-1472 https://access.redhat.com/security/cve/CVE-2015-1473 https://access.redhat.com/security/cve/CVE-2015-1781 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2050743
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFWTkEYXlSAg2UNWIIRAueyAJ98kB1kgF2zvCkEn5k70+Aq5ynM3QCfS8Lx xSL2O69mtC2Sh4D4RYIP+2k= =MEoD -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
The CVE-2015-7547 vulnerability listed below is considered to have critical impact.
CVE-2014-8121
Robin Hack discovered that the nss_files database did not
correctly implement enumeration interleaved with name-based or
ID-based lookups. This could cause the enumeration enter an
endless loop, leading to a denial of service. Most applications are not
affected by this vulnerability because they use aligned buffers.
CVE-2015-7547
The Google Security Team and Red Hat discovered that the eglibc
host name resolver function, getaddrinfo, when processing
AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its
internal buffers, leading to a stack-based buffer overflow and
arbitrary code execution. This vulnerability affects most
applications which perform host name resolution using getaddrinfo,
including system services.
CVE-2015-8776
Adam Nielsen discovered that if an invalid separated time value
is passed to strftime, the strftime function could crash or leak
information. Applications normally pass only valid time
information to strftime; no affected applications are known.
CVE-2015-8777
Hector Marco-Gisbert reported that LD_POINTER_GUARD was not
ignored for SUID programs, enabling an unintended bypass of a
security feature. This update causes eglibc to always ignore the
LD_POINTER_GUARD environment variable.
CVE-2015-8778
Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r
functions did not check the size argument properly, leading to a
crash (denial of service) for certain arguments. No impacted
applications are known at this time.
CVE-2015-8779
The catopen function contains several unbound stack allocations
(stack overflows), causing it the crash the process (denial of
service). No applications where this issue has a security impact
are currently known.
The following fixed vulnerabilities currently lack CVE assignment:
Joseph Myers reported discovered that an integer overflow in the
strxfrm can lead to heap-based buffer overflow, possibly allowing
arbitrary code execution. In addition, a fallback path in strxfrm
uses an unbounded stack allocation (stack overflow), leading to a
crash or erroneous application behavior.
Kostya Serebryany reported that the fnmatch function could skip
over the terminating NUL character of a malformed pattern, causing
an application calling fnmatch to crash (denial of service). On
GNU/Linux systems, wide-oriented character streams are rarely
used, and no affected applications are known.
Andreas Schwab reported a memory leak (memory allocation without a
matching deallocation) while processing certain DNS answers in
getaddrinfo, related to the _nss_dns_gethostbyname4_r function.
This vulnerability could lead to a denial of service.
While it is only necessary to ensure that all processes are not using the old eglibc anymore, it is recommended to reboot the machines after applying the security upgrade.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.13-38+deb7u10.
We recommend that you upgrade your eglibc packages. 6) - i386, x86_64
This update also fixes the following bug:
- Previously, the nscd daemon did not properly reload modified data when the user edited monitored nscd configuration files. As a consequence, nscd returned stale data to system processes. This update adds a system of inotify-based monitoring and stat-based backup monitoring for nscd configuration files. As a result, nscd now detects changes to its configuration files and reloads the data properly, which prevents it from returning stale data. ========================================================================== Ubuntu Security Notice USN-2985-2 May 26, 2016
eglibc, glibc regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
USN-2985-1 introduced a regression in the GNU C Library.
Software Description: - glibc: GNU C Library - eglibc: GNU C Library
Details:
USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not fully restarted after the upgrade. This update removes the fix for CVE-2014-9761 and a future update will be provided to address this issue.
We apologize for the inconvenience.
Original advisory details:
Martin Carpenter discovered that pt_chown in the GNU C Library did not properly check permissions for tty files. (CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in the GNU C Library did not properly manage its file descriptors. (CVE-2014-8121)
Joseph Myers discovered that the GNU C Library did not properly handle long arguments to functions returning a representation of Not a Number (NaN). (CVE-2014-9761)
Arjun Shankar discovered that in certain situations the nss_dns code in the GNU C Library did not properly account buffer sizes when passed an unaligned buffer. (CVE-2015-1781)
Sumit Bose and Lukas Slebodnik discovered that the Name Service Switch (NSS) implementation in the GNU C Library did not handle long lines in the files databases correctly. (CVE-2015-8776)
Hector Marco and Ismael Ripoll discovered that the GNU C Library allowed the pointer-guarding protection mechanism to be disabled by honoring the LD_POINTER_GUARD environment variable across privilege boundaries. (CVE-2015-8778)
Maksymilian Arciemowicz discovered a stack-based buffer overflow in the catopen function in the GNU C Library when handling long catalog names. (CVE-2015-8779)
Florian Weimer discovered that the getnetbyname implementation in the GNU C Library did not properly handle long names passed as arguments. (CVE-2016-3075)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.10: libc-bin 2.21-0ubuntu4.3 libc6 2.21-0ubuntu4.3 libc6-dev 2.21-0ubuntu4.3
Ubuntu 14.04 LTS: libc-bin 2.19-0ubuntu6.9 libc6 2.19-0ubuntu6.9 libc6-dev 2.19-0ubuntu6.9
Ubuntu 12.04 LTS: libc-bin 2.15-0ubuntu10.15 libc6 2.15-0ubuntu10.15 libc6-dev 2.15-0ubuntu10.15
After a standard system update you need to reboot your computer to make all the necessary changes.
Please review the CVEs referenced below for additional vulnerabilities that had already been fixed in previous versions of sys-libs/glibc, for which we have not issued a GLSA before.
Workaround
A number of mitigating factors for CVE-2015-7547 have been identified. Please review the upstream advisory and references below.
Resolution
All GNU C Library users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.21-r2"
It is important to ensure that no running process uses the old glibc anymore. The easiest way to achieve that is by rebooting the machine after updating the sys-libs/glibc package.
Note: Should you run into compilation failures while updating, please see bug 574948.
References
[ 1 ] CVE-2013-7423 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7423 [ 2 ] CVE-2014-0475 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475 [ 3 ] CVE-2014-0475 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475 [ 4 ] CVE-2014-5119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5119 [ 5 ] CVE-2014-6040 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6040 [ 6 ] CVE-2014-7817 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7817 [ 7 ] CVE-2014-8121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8121 [ 8 ] CVE-2014-9402 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9402 [ 9 ] CVE-2015-1472 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1472 [ 10 ] CVE-2015-1781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1781 [ 11 ] CVE-2015-7547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7547 [ 12 ] CVE-2015-8776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8776 [ 13 ] CVE-2015-8778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8778 [ 14 ] CVE-2015-8779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8779 [ 15 ] Google Online Security Blog: "CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow"
https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-geta= ddrinfo-stack.html
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201602-02
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "7.0"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "12.04"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "15.04"
},
{
"_id": null,
"model": "glibc",
"scope": "lte",
"trust": 1.0,
"vendor": "gnu",
"version": "2.21"
},
{
"_id": null,
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "14.04"
},
{
"_id": null,
"model": "linux enterprise debuginfo",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "linux enterprise desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "11"
},
{
"_id": null,
"model": "c library",
"scope": "lt",
"trust": 0.8,
"vendor": "gnu",
"version": "2.22"
},
{
"_id": null,
"model": "suse linux enterprise debuginfo",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp3"
},
{
"_id": null,
"model": "suse linux enterprise debuginfo",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp4"
},
{
"_id": null,
"model": "suse linux enterprise desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp3"
},
{
"_id": null,
"model": "suse linux enterprise desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp4"
},
{
"_id": null,
"model": "suse linux enterprise server",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp3"
},
{
"_id": null,
"model": "suse linux enterprise server",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp4"
},
{
"_id": null,
"model": "suse linux enterprise server",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "for vmware 11-sp3"
},
{
"_id": null,
"model": "suse linux enterprise software development kit",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp3"
},
{
"_id": null,
"model": "suse linux enterprise software development kit",
"scope": "eq",
"trust": 0.8,
"vendor": "novell",
"version": "11-sp4"
},
{
"_id": null,
"model": "linux enterprise desktop",
"scope": "eq",
"trust": 0.6,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "linux enterprise debuginfo",
"scope": "eq",
"trust": 0.6,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.6,
"vendor": "suse",
"version": "11.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.3.0.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.3.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"_id": null,
"model": "powerkvm",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1"
},
{
"_id": null,
"model": "ds8700",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "76.31.143.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.1.11"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "proventia network enterprise scanner",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.3"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.1.0.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "smartcloud entry appliance fp",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.4"
},
{
"_id": null,
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "powerkvm",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "power hmc sp1",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.8.2.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "smartcloud entry appliance fp",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.4.0.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "ds8700",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "87.51.14.x"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "power hmc sp2",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.8.1.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "ib6131 gb infiniband switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "83.4"
},
{
"_id": null,
"model": "ds8800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "86.31.167.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "tssc",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.9"
},
{
"_id": null,
"model": "smartcloud entry appliance fix pack",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.11"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "flex system en6131 40gb ethernet switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.1"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.1"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.2"
},
{
"_id": null,
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.2.0.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "flex system en6131 40gb ethernet switch",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "3.5.1000"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.0.16"
},
{
"_id": null,
"model": "enterprise linux server eus 6.6.z",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "smartcloud entry appliance fix pack",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.21"
},
{
"_id": null,
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.0.1"
},
{
"_id": null,
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "tssc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"_id": null,
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "smartcloud entry appliance fix pack",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.44"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "smartcloud entry appliance fp",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.3.0.3"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "power hmc",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.8.3.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.4.0"
},
{
"_id": null,
"model": "ds8800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "flex system en6131 40gb ethernet switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.4"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.0.15"
},
{
"_id": null,
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-05",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.0"
},
{
"_id": null,
"model": "ib6131 gb infiniband switch",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "83.5.1000"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412-10",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.8"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gv1000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "flex system chassis management module 2pet",
"scope": null,
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"_id": null,
"model": "security network intrusion prevention system gx3002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5208-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "security network intrusion prevention system gx5008",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "smartcloud entry appliance fp",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.2.0.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "security network intrusion prevention system gv200",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"_id": null,
"model": "flex system chassis management module 2pet14c-2.5.5c",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"_id": null,
"model": "security network intrusion prevention system gx5108-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "ds8700",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "87.41.17.x"
},
{
"_id": null,
"model": "smartcloud entry",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.1.0.4"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7412",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.1"
},
{
"_id": null,
"model": "security network intrusion prevention system gx7800",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.4"
},
{
"_id": null,
"model": "ib6131 gb infiniband switch",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "83.2"
},
{
"_id": null,
"model": "security network intrusion prevention system gx6116",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.3"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.5"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4004-v2",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6.2"
},
{
"_id": null,
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"_id": null,
"model": "security virtual server protection for vmware",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.1"
},
{
"_id": null,
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "6.0.1.12"
},
{
"_id": null,
"model": "security network intrusion prevention system gx4002",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.6"
},
{
"_id": null,
"model": "smartcloud entry appliance fp",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.0.3"
},
{
"_id": null,
"model": "glibc",
"scope": "eq",
"trust": 0.3,
"vendor": "gnu",
"version": "0"
}
],
"sources": [
{
"db": "BID",
"id": "74255"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "NVD",
"id": "CVE-2015-1781"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:gnu:glibc",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:novell:suse_linux_enterprise_debuginfo",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:novell:suse_linux_enterprise_desktop",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:novell:suse_linux_enterprise_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:novell:suse_linux_enterprise_software_development_kit",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
}
]
},
"credits": {
"_id": null,
"data": "Arjun Shankar of Red Hat",
"sources": [
{
"db": "BID",
"id": "74255"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
}
],
"trust": 0.9
},
"cve": "CVE-2015-1781",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2015-1781",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-1781",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2015-1781",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201505-071",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2015-1781",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-1781"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "NVD",
"id": "CVE-2015-1781"
}
]
},
"description": {
"_id": null,
"data": "Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer. GNU glibc is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. \nAn attacker can exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts may crash the application, denying service to legitimate users. \n _______________________________________________________________________\n\n References:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781\n https://rhn.redhat.com/errata/RHSA-2015-0863.html\n _______________________________________________________________________\n\n Updated Packages:\n\n Mandriva Business Server 1/X86_64:\n 92aa475c44c712eaf19898ef76e04183 mbs1/x86_64/glibc-2.14.1-12.12.mbs1.x86_64.rpm\n 606cdd33e041f9853eae18f53c9d73de mbs1/x86_64/glibc-devel-2.14.1-12.12.mbs1.x86_64.rpm\n 133deb850840d464335e5c659cba1627 mbs1/x86_64/glibc-doc-2.14.1-12.12.mbs1.noarch.rpm\n 7a3d5170647c52cd4a34d2dcda711397 mbs1/x86_64/glibc-doc-pdf-2.14.1-12.12.mbs1.noarch.rpm\n 96c842afb6110ac18a40b843b51548fc mbs1/x86_64/glibc-i18ndata-2.14.1-12.12.mbs1.x86_64.rpm\n 703e73278d416a53096fe19c7652c95e mbs1/x86_64/glibc-profile-2.14.1-12.12.mbs1.x86_64.rpm\n 12f09ed16d9c4b0f9a94e931569dacc3 mbs1/x86_64/glibc-static-devel-2.14.1-12.12.mbs1.x86_64.rpm\n 09715361d0af4a4dd5fba44239c5e690 mbs1/x86_64/glibc-utils-2.14.1-12.12.mbs1.x86_64.rpm\n c9a293ac29070d215eb1988bba58aaec mbs1/x86_64/nscd-2.14.1-12.12.mbs1.x86_64.rpm \n 8d8b74de2d7c0e982e0ad82ac73091b2 mbs1/SRPMS/glibc-2.14.1-12.12.mbs1.src.rpm\n\n Mandriva Business Server 2/X86_64:\n e59cee8712d211add638c1b6c1952fa6 mbs2/x86_64/glibc-2.18-10.2.mbs2.x86_64.rpm\n baf9e44f8c4f82c75a0154d44b6fce72 mbs2/x86_64/glibc-devel-2.18-10.2.mbs2.x86_64.rpm\n f3eb6e3ed435f8a06dcffbfa7a44525b mbs2/x86_64/glibc-doc-2.18-10.2.mbs2.noarch.rpm\n 5df45f7cae82ef7d354fa14c7ac363c9 mbs2/x86_64/glibc-i18ndata-2.18-10.2.mbs2.x86_64.rpm\n 24ef48d58c7a4114068e7b70dbefad79 mbs2/x86_64/glibc-profile-2.18-10.2.mbs2.x86_64.rpm\n 5f67c12f02dbc3f4cbf78f1a8c7d5ad5 mbs2/x86_64/glibc-static-devel-2.18-10.2.mbs2.x86_64.rpm\n f24e67e1ed1b01e5305c28b3a9b02852 mbs2/x86_64/glibc-utils-2.18-10.2.mbs2.x86_64.rpm\n bae4b399bc43be8af24ddd93257ca31a mbs2/x86_64/nscd-2.18-10.2.mbs2.x86_64.rpm \n 740d9b3d14292be8847da92243340b62 mbs2/SRPMS/glibc-2.18-10.2.mbs2.src.rpm\n _______________________________________________________________________\n\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\n of md5 checksums and GPG signatures is performed automatically for you. \n\nIt was discovered that the nss_files backend for the Name Service Switch in\nglibc would return incorrect data to applications or corrupt the heap\n(depending on adjacent heap contents). -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: glibc security, bug fix, and enhancement update\nAdvisory ID: RHSA-2015:2199-07\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2015-2199.html\nIssue date: 2015-11-19\nCVE Names: CVE-2013-7423 CVE-2015-1472 CVE-2015-1473 \n CVE-2015-1781 \n=====================================================================\n\n1. Summary:\n\nUpdated glibc packages that fix multiple security issues, several bugs, and\nadd one enhancement are now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name Server\nCaching Daemon (nscd) used by multiple programs on the system. \nWithout these libraries, the Linux system cannot function correctly. \n\nIt was discovered that, under certain circumstances, glibc\u0027s getaddrinfo()\nfunction would send DNS queries to random file descriptors. An attacker\ncould potentially use this flaw to send DNS queries to unintended\nrecipients, resulting in information disclosure or data loss due to the\napplication encountering corrupted data. (CVE-2013-7423)\n\nA buffer overflow flaw was found in the way glibc\u0027s gethostbyname_r() and\nother related functions computed the size of a buffer when passed a\nmisaligned buffer as input. (CVE-2015-1781)\n\nA heap-based buffer overflow flaw and a stack overflow flaw were found in\nglibc\u0027s swscanf() function. (CVE-2015-1472, CVE-2015-1473)\n\nAn integer overflow flaw, leading to a heap-based buffer overflow, was\nfound in glibc\u0027s _IO_wstr_overflow() function. (BZ#1195762)\n\nA flaw was found in the way glibc\u0027s fnmatch() function processed certain\nmalformed patterns. An attacker able to make an application call this\nfunction could use this flaw to crash that application. (BZ#1197730)\n\nThe CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat. \n\nThese updated glibc packages also include numerous bug fixes and one\nenhancement. Space precludes documenting all of these changes in this\nadvisory. For information on the most significant of these changes, users\nare directed to the following article on the Red Hat Customer Portal:\n\nhttps://access.redhat.com/articles/2050743\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1064066 - Test suite failure: test-ldouble\n1098042 - getaddrinfo return EAI_NONAME instead of EAI_AGAIN in case the DNS query times out\n1144133 - calloc in dl-reloc.c computes size incorrectly\n1187109 - CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load\n1188235 - CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf\n1195762 - glibc: _IO_wstr_overflow integer overflow\n1197730 - glibc: potential denial of service in internal_fnmatch()\n1199525 - CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer\n1207032 - glibc deadlock when printing backtrace from memory allocator\n1209105 - CVE-2015-1473 glibc: Stack-overflow in glibc swscanf\n1219891 - Missing define for TCP_USER_TIMEOUT in netinet/tcp.h\n1225490 - [RFE] Unconditionally enable SDT probes in glibc builds. \n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nglibc-2.17-105.el7.src.rpm\n\nx86_64:\nglibc-2.17-105.el7.i686.rpm\nglibc-2.17-105.el7.x86_64.rpm\nglibc-common-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-devel-2.17-105.el7.i686.rpm\nglibc-devel-2.17-105.el7.x86_64.rpm\nglibc-headers-2.17-105.el7.x86_64.rpm\nglibc-utils-2.17-105.el7.x86_64.rpm\nnscd-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-static-2.17-105.el7.i686.rpm\nglibc-static-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nglibc-2.17-105.el7.src.rpm\n\nx86_64:\nglibc-2.17-105.el7.i686.rpm\nglibc-2.17-105.el7.x86_64.rpm\nglibc-common-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-devel-2.17-105.el7.i686.rpm\nglibc-devel-2.17-105.el7.x86_64.rpm\nglibc-headers-2.17-105.el7.x86_64.rpm\nglibc-utils-2.17-105.el7.x86_64.rpm\nnscd-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-static-2.17-105.el7.i686.rpm\nglibc-static-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nglibc-2.17-105.el7.src.rpm\n\naarch64:\nglibc-2.17-105.el7.aarch64.rpm\nglibc-common-2.17-105.el7.aarch64.rpm\nglibc-debuginfo-2.17-105.el7.aarch64.rpm\nglibc-devel-2.17-105.el7.aarch64.rpm\nglibc-headers-2.17-105.el7.aarch64.rpm\nglibc-utils-2.17-105.el7.aarch64.rpm\nnscd-2.17-105.el7.aarch64.rpm\n\nppc64:\nglibc-2.17-105.el7.ppc.rpm\nglibc-2.17-105.el7.ppc64.rpm\nglibc-common-2.17-105.el7.ppc64.rpm\nglibc-debuginfo-2.17-105.el7.ppc.rpm\nglibc-debuginfo-2.17-105.el7.ppc64.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc64.rpm\nglibc-devel-2.17-105.el7.ppc.rpm\nglibc-devel-2.17-105.el7.ppc64.rpm\nglibc-headers-2.17-105.el7.ppc64.rpm\nglibc-utils-2.17-105.el7.ppc64.rpm\nnscd-2.17-105.el7.ppc64.rpm\n\nppc64le:\nglibc-2.17-105.el7.ppc64le.rpm\nglibc-common-2.17-105.el7.ppc64le.rpm\nglibc-debuginfo-2.17-105.el7.ppc64le.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc64le.rpm\nglibc-devel-2.17-105.el7.ppc64le.rpm\nglibc-headers-2.17-105.el7.ppc64le.rpm\nglibc-utils-2.17-105.el7.ppc64le.rpm\nnscd-2.17-105.el7.ppc64le.rpm\n\ns390x:\nglibc-2.17-105.el7.s390.rpm\nglibc-2.17-105.el7.s390x.rpm\nglibc-common-2.17-105.el7.s390x.rpm\nglibc-debuginfo-2.17-105.el7.s390.rpm\nglibc-debuginfo-2.17-105.el7.s390x.rpm\nglibc-debuginfo-common-2.17-105.el7.s390.rpm\nglibc-debuginfo-common-2.17-105.el7.s390x.rpm\nglibc-devel-2.17-105.el7.s390.rpm\nglibc-devel-2.17-105.el7.s390x.rpm\nglibc-headers-2.17-105.el7.s390x.rpm\nglibc-utils-2.17-105.el7.s390x.rpm\nnscd-2.17-105.el7.s390x.rpm\n\nx86_64:\nglibc-2.17-105.el7.i686.rpm\nglibc-2.17-105.el7.x86_64.rpm\nglibc-common-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-devel-2.17-105.el7.i686.rpm\nglibc-devel-2.17-105.el7.x86_64.rpm\nglibc-headers-2.17-105.el7.x86_64.rpm\nglibc-utils-2.17-105.el7.x86_64.rpm\nnscd-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\naarch64:\nglibc-debuginfo-2.17-105.el7.aarch64.rpm\nglibc-static-2.17-105.el7.aarch64.rpm\n\nppc64:\nglibc-debuginfo-2.17-105.el7.ppc.rpm\nglibc-debuginfo-2.17-105.el7.ppc64.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc64.rpm\nglibc-static-2.17-105.el7.ppc.rpm\nglibc-static-2.17-105.el7.ppc64.rpm\n\nppc64le:\nglibc-debuginfo-2.17-105.el7.ppc64le.rpm\nglibc-debuginfo-common-2.17-105.el7.ppc64le.rpm\nglibc-static-2.17-105.el7.ppc64le.rpm\n\ns390x:\nglibc-debuginfo-2.17-105.el7.s390.rpm\nglibc-debuginfo-2.17-105.el7.s390x.rpm\nglibc-debuginfo-common-2.17-105.el7.s390.rpm\nglibc-debuginfo-common-2.17-105.el7.s390x.rpm\nglibc-static-2.17-105.el7.s390.rpm\nglibc-static-2.17-105.el7.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-static-2.17-105.el7.i686.rpm\nglibc-static-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nglibc-2.17-105.el7.src.rpm\n\nx86_64:\nglibc-2.17-105.el7.i686.rpm\nglibc-2.17-105.el7.x86_64.rpm\nglibc-common-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-devel-2.17-105.el7.i686.rpm\nglibc-devel-2.17-105.el7.x86_64.rpm\nglibc-headers-2.17-105.el7.x86_64.rpm\nglibc-utils-2.17-105.el7.x86_64.rpm\nnscd-2.17-105.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-105.el7.i686.rpm\nglibc-debuginfo-2.17-105.el7.x86_64.rpm\nglibc-debuginfo-common-2.17-105.el7.i686.rpm\nglibc-debuginfo-common-2.17-105.el7.x86_64.rpm\nglibc-static-2.17-105.el7.i686.rpm\nglibc-static-2.17-105.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2013-7423\nhttps://access.redhat.com/security/cve/CVE-2015-1472\nhttps://access.redhat.com/security/cve/CVE-2015-1473\nhttps://access.redhat.com/security/cve/CVE-2015-1781\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/articles/2050743\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2015 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFWTkEYXlSAg2UNWIIRAueyAJ98kB1kgF2zvCkEn5k70+Aq5ynM3QCfS8Lx\nxSL2O69mtC2Sh4D4RYIP+2k=\n=MEoD\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nThe CVE-2015-7547 vulnerability listed below is considered to have\ncritical impact. \n\nCVE-2014-8121\n\n Robin Hack discovered that the nss_files database did not\n correctly implement enumeration interleaved with name-based or\n ID-based lookups. This could cause the enumeration enter an\n endless loop, leading to a denial of service. Most applications are not\n affected by this vulnerability because they use aligned buffers. \n\nCVE-2015-7547\n\n The Google Security Team and Red Hat discovered that the eglibc\n host name resolver function, getaddrinfo, when processing\n AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its\n internal buffers, leading to a stack-based buffer overflow and\n arbitrary code execution. This vulnerability affects most\n applications which perform host name resolution using getaddrinfo,\n including system services. \n\nCVE-2015-8776\n\n Adam Nielsen discovered that if an invalid separated time value\n is passed to strftime, the strftime function could crash or leak\n information. Applications normally pass only valid time\n information to strftime; no affected applications are known. \n\nCVE-2015-8777\n\n Hector Marco-Gisbert reported that LD_POINTER_GUARD was not\n ignored for SUID programs, enabling an unintended bypass of a\n security feature. This update causes eglibc to always ignore the\n LD_POINTER_GUARD environment variable. \n\nCVE-2015-8778\n\n Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r\n functions did not check the size argument properly, leading to a\n crash (denial of service) for certain arguments. No impacted\n applications are known at this time. \n\nCVE-2015-8779\n\n The catopen function contains several unbound stack allocations\n (stack overflows), causing it the crash the process (denial of\n service). No applications where this issue has a security impact\n are currently known. \n\nThe following fixed vulnerabilities currently lack CVE assignment:\n\n Joseph Myers reported discovered that an integer overflow in the\n strxfrm can lead to heap-based buffer overflow, possibly allowing\n arbitrary code execution. In addition, a fallback path in strxfrm\n uses an unbounded stack allocation (stack overflow), leading to a\n crash or erroneous application behavior. \n\n Kostya Serebryany reported that the fnmatch function could skip\n over the terminating NUL character of a malformed pattern, causing\n an application calling fnmatch to crash (denial of service). On\n GNU/Linux systems, wide-oriented character streams are rarely\n used, and no affected applications are known. \n\n Andreas Schwab reported a memory leak (memory allocation without a\n matching deallocation) while processing certain DNS answers in\n getaddrinfo, related to the _nss_dns_gethostbyname4_r function. \n This vulnerability could lead to a denial of service. \n\nWhile it is only necessary to ensure that all processes are not using\nthe old eglibc anymore, it is recommended to reboot the machines after\napplying the security upgrade. \n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 2.13-38+deb7u10. \n\nWe recommend that you upgrade your eglibc packages. 6) - i386, x86_64\n\n3. \n\nThis update also fixes the following bug:\n\n* Previously, the nscd daemon did not properly reload modified data when\nthe user edited monitored nscd configuration files. As a consequence, nscd\nreturned stale data to system processes. This update adds a system of\ninotify-based monitoring and stat-based backup monitoring for nscd\nconfiguration files. As a result, nscd now detects changes to its\nconfiguration files and reloads the data properly, which prevents it from\nreturning stale data. ==========================================================================\nUbuntu Security Notice USN-2985-2\nMay 26, 2016\n\neglibc, glibc regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 15.10\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nUSN-2985-1 introduced a regression in the GNU C Library. \n\nSoftware Description:\n- glibc: GNU C Library\n- eglibc: GNU C Library\n\nDetails:\n\nUSN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for\nCVE-2014-9761 introduced a regression which affected applications that\nuse the libm library but were not fully restarted after the upgrade. \nThis update removes the fix for CVE-2014-9761 and a future update\nwill be provided to address this issue. \n\nWe apologize for the inconvenience. \n\nOriginal advisory details:\n\n Martin Carpenter discovered that pt_chown in the GNU C Library did not\n properly check permissions for tty files. \n (CVE-2013-2207, CVE-2016-2856)\n \n Robin Hack discovered that the Name Service Switch (NSS) implementation in\n the GNU C Library did not properly manage its file descriptors. \n (CVE-2014-8121)\n \n Joseph Myers discovered that the GNU C Library did not properly handle long\n arguments to functions returning a representation of Not a Number (NaN). \n (CVE-2014-9761)\n \n Arjun Shankar discovered that in certain situations the nss_dns code in the\n GNU C Library did not properly account buffer sizes when passed an\n unaligned buffer. (CVE-2015-1781)\n \n Sumit Bose and Lukas Slebodnik discovered that the Name Service\n Switch (NSS) implementation in the GNU C Library did not handle long\n lines in the files databases correctly. (CVE-2015-8776)\n \n Hector Marco and Ismael Ripoll discovered that the GNU C Library allowed\n the pointer-guarding protection mechanism to be disabled by honoring the\n LD_POINTER_GUARD environment variable across privilege boundaries. (CVE-2015-8778)\n \n Maksymilian Arciemowicz discovered a stack-based buffer overflow in the\n catopen function in the GNU C Library when handling long catalog names. (CVE-2015-8779)\n \n Florian Weimer discovered that the getnetbyname implementation in the GNU C\n Library did not properly handle long names passed as arguments. (CVE-2016-3075)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 15.10:\n libc-bin 2.21-0ubuntu4.3\n libc6 2.21-0ubuntu4.3\n libc6-dev 2.21-0ubuntu4.3\n\nUbuntu 14.04 LTS:\n libc-bin 2.19-0ubuntu6.9\n libc6 2.19-0ubuntu6.9\n libc6-dev 2.19-0ubuntu6.9\n\nUbuntu 12.04 LTS:\n libc-bin 2.15-0ubuntu10.15\n libc6 2.15-0ubuntu10.15\n libc6-dev 2.15-0ubuntu10.15\n\nAfter a standard system update you need to reboot your computer to\nmake all the necessary changes. \n\nPlease review the CVEs referenced below for additional vulnerabilities\nthat had already been fixed in previous versions of sys-libs/glibc, for\nwhich we have not issued a GLSA before. \n\nWorkaround\n==========\n\nA number of mitigating factors for CVE-2015-7547 have been identified. \nPlease review the upstream advisory and references below. \n\nResolution\n==========\n\nAll GNU C Library users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=sys-libs/glibc-2.21-r2\"\n\nIt is important to ensure that no running process uses the old glibc\nanymore. The easiest way to achieve that is by rebooting the machine\nafter updating the sys-libs/glibc package. \n\nNote: Should you run into compilation failures while updating, please\nsee bug 574948. \n\nReferences\n==========\n\n[ 1 ] CVE-2013-7423\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7423\n[ 2 ] CVE-2014-0475\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475\n[ 3 ] CVE-2014-0475\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475\n[ 4 ] CVE-2014-5119\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5119\n[ 5 ] CVE-2014-6040\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6040\n[ 6 ] CVE-2014-7817\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7817\n[ 7 ] CVE-2014-8121\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8121\n[ 8 ] CVE-2014-9402\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9402\n[ 9 ] CVE-2015-1472\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1472\n[ 10 ] CVE-2015-1781\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1781\n[ 11 ] CVE-2015-7547\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7547\n[ 12 ] CVE-2015-8776\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8776\n[ 13 ] CVE-2015-8778\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8778\n[ 14 ] CVE-2015-8779\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8779\n[ 15 ] Google Online Security Blog: \"CVE-2015-7547: glibc getaddrinfo\n stack-based buffer overflow\"\n\nhttps://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-geta=\nddrinfo-stack.html\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201602-02\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2016 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-1781"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "BID",
"id": "74255"
},
{
"db": "VULMON",
"id": "CVE-2015-1781"
},
{
"db": "PACKETSTORM",
"id": "131697"
},
{
"db": "PACKETSTORM",
"id": "134717"
},
{
"db": "PACKETSTORM",
"id": "134444"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "131539"
},
{
"db": "PACKETSTORM",
"id": "137208"
},
{
"db": "PACKETSTORM",
"id": "135810"
}
],
"trust": 2.61
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2015-1781",
"trust": 3.5
},
{
"db": "BID",
"id": "74255",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1032178",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2015-1781",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "131697",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134717",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134444",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135793",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "131539",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "137208",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135810",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-1781"
},
{
"db": "BID",
"id": "74255"
},
{
"db": "PACKETSTORM",
"id": "131697"
},
{
"db": "PACKETSTORM",
"id": "134717"
},
{
"db": "PACKETSTORM",
"id": "134444"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "131539"
},
{
"db": "PACKETSTORM",
"id": "137208"
},
{
"db": "PACKETSTORM",
"id": "135810"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "NVD",
"id": "CVE-2015-1781"
}
]
},
"id": "VAR-201509-0438",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.20833333
},
"last_update_date": "2026-03-09T20:00:49.321000Z",
"patch": {
"_id": null,
"data": [
{
"title": "SUSE-SU-2015:1424",
"trust": 0.8,
"url": " http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00019.html"
},
{
"title": "RHSA-2015:0863",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/RHSA-2015-0863.html"
},
{
"title": "Bug 18287",
"trust": 0.8,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18287"
},
{
"title": "The GNU C Library version 2.22 is now available",
"trust": 0.8,
"url": "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html"
},
{
"title": "CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]",
"trust": 0.8,
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386"
},
{
"title": "GNU C Library Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=232528"
},
{
"title": "Red Hat: Moderate: glibc security, bug fix, and enhancement update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20152199 - Security Advisory"
},
{
"title": "Red Hat: Important: glibc security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20152589 - Security Advisory"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2015-1781",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=a2c29453eb55cceece213eaabd30c31b"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2013-2207: Remove pt_chown",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=24f036a1c9b3e11b009511a5ff0119fc"
},
{
"title": "Debian CVElist Bug Report Logs: glibc: multiple overflows in strxfrm()",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=9c45e614f65364c9f36d20f68260e303"
},
{
"title": "Debian CVElist Bug Report Logs: glibc: Three vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=c894c06b98aa71f44dddf17ba757bd22"
},
{
"title": "Red Hat: CVE-2015-1781",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2015-1781"
},
{
"title": "Debian CVElist Bug Report Logs: libc6: Pointer guarding bypass in dynamic Setuid binaries",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=fd388404d431df3846c2735a9f93c550"
},
{
"title": "Amazon Linux AMI: ALAS-2015-513",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2015-513"
},
{
"title": "Ubuntu Security Notice: eglibc, glibc regression",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-2985-2"
},
{
"title": "Ubuntu Security Notice: eglibc, glibc vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-2985-1"
},
{
"title": "Amazon Linux AMI: ALAS-2015-617",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2015-617"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=435ed9abc2fb1e74ce2a69605a01e326"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-1781"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "NVD",
"id": "CVE-2015-1781"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.2,
"url": "https://rhn.redhat.com/errata/rhsa-2015-0863.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"trust": 1.8,
"url": "http://www.ubuntu.com/usn/usn-2985-2"
},
{
"trust": 1.8,
"url": "http://www.ubuntu.com/usn/usn-2985-1"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/201602-02"
},
{
"trust": 1.7,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18287"
},
{
"trust": 1.7,
"url": "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00019.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/74255"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1032178"
},
{
"trust": 1.7,
"url": "http://www.debian.org/security/2016/dsa-3480"
},
{
"trust": 1.7,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-february/177404.html"
},
{
"trust": 1.6,
"url": "https://sourceware.org/git/?p=glibc.git%3ba=commit%3bh=2959eda9272a03386"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2015-1781"
},
{
"trust": 0.9,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1199525"
},
{
"trust": 0.9,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1781"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1781"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/errata/rhsa-2015:2199"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1781"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/errata/rhsa-2015:2589"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/errata/rhsa-2015:0863"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7423"
},
{
"trust": 0.3,
"url": "http://www.gnu.org/software/libc/"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21966788"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1022665"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023385"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005779"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099196"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005255"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1020837"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099225"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21966209"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21982433"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21988872"
},
{
"trust": 0.3,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1472"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2013-7423"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8121"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8776"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8778"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8779"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1473"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2015-1473"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2015-1472"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5277"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7547"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8777"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=38496"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/2985-2/"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/advisories/"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7423"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-5277"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2015-2589.html"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2015-2199.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/2050743"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1585614"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/glibc/2.21-0ubuntu4.3"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9761"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-3075"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/eglibc/2.19-0ubuntu6.9"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/eglibc/2.15-0ubuntu10.15"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-9402"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-geta="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7817"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9402"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-7547"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-8121"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-1781"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-6040"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-8778"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-0475"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-8776"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-7817"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-5119"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6040"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-8779"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-7423"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-5119"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0475"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-1472"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-1781"
},
{
"db": "BID",
"id": "74255"
},
{
"db": "PACKETSTORM",
"id": "131697"
},
{
"db": "PACKETSTORM",
"id": "134717"
},
{
"db": "PACKETSTORM",
"id": "134444"
},
{
"db": "PACKETSTORM",
"id": "135793"
},
{
"db": "PACKETSTORM",
"id": "131539"
},
{
"db": "PACKETSTORM",
"id": "137208"
},
{
"db": "PACKETSTORM",
"id": "135810"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
},
{
"db": "NVD",
"id": "CVE-2015-1781"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULMON",
"id": "CVE-2015-1781",
"ident": null
},
{
"db": "BID",
"id": "74255",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "131697",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "134717",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "134444",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "135793",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "131539",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "137208",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "135810",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004995",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2015-1781",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2015-09-28T00:00:00",
"db": "VULMON",
"id": "CVE-2015-1781",
"ident": null
},
{
"date": "2015-04-21T00:00:00",
"db": "BID",
"id": "74255",
"ident": null
},
{
"date": "2015-04-30T15:46:57",
"db": "PACKETSTORM",
"id": "131697",
"ident": null
},
{
"date": "2015-12-09T15:22:37",
"db": "PACKETSTORM",
"id": "134717",
"ident": null
},
{
"date": "2015-11-20T00:41:22",
"db": "PACKETSTORM",
"id": "134444",
"ident": null
},
{
"date": "2016-02-16T17:18:17",
"db": "PACKETSTORM",
"id": "135793",
"ident": null
},
{
"date": "2015-04-21T16:03:31",
"db": "PACKETSTORM",
"id": "131539",
"ident": null
},
{
"date": "2016-05-26T14:33:33",
"db": "PACKETSTORM",
"id": "137208",
"ident": null
},
{
"date": "2016-02-17T23:53:39",
"db": "PACKETSTORM",
"id": "135810",
"ident": null
},
{
"date": "2015-04-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-071",
"ident": null
},
{
"date": "2015-10-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004995",
"ident": null
},
{
"date": "2015-09-28T20:59:00.093000",
"db": "NVD",
"id": "CVE-2015-1781",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2019-06-17T00:00:00",
"db": "VULMON",
"id": "CVE-2015-1781",
"ident": null
},
{
"date": "2016-09-09T18:00:00",
"db": "BID",
"id": "74255",
"ident": null
},
{
"date": "2023-04-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201505-071",
"ident": null
},
{
"date": "2015-10-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004995",
"ident": null
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-1781",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "135810"
},
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "GNU C Library of gethostbyname_r And other unspecified NSS Buffer overflow vulnerability in functions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004995"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201505-071"
}
],
"trust": 0.6
}
}
VAR-202101-0119
Vulnerability from variot - Updated: 2026-03-09 19:57The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. Description:
Red Hat Advanced Cluster Management for Kubernetes 2.3.0 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.3/html/release_notes/
Security:
-
fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321)
-
fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21322)
-
nodejs-netmask: improper input validation of octal input data (CVE-2021-28918)
-
redis: Integer overflow via STRALGO LCS command (CVE-2021-29477)
-
redis: Integer overflow via COPY command for large intsets (CVE-2021-29478)
-
nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
-
nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500)
-
golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
-
-u- extension (CVE-2020-28851)
-
golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)
-
nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377)
-
oras: zip-slip vulnerability via oras-pull (CVE-2021-21272)
-
redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309)
-
nodejs-lodash: command injection via template (CVE-2021-23337)
-
nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)
-
browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
-
nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
-
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369)
-
nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
-
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383)
-
openssl: integer overflow in CipherUpdate (CVE-2021-23840)
-
openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841)
-
nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292)
-
grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358)
-
nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)
-
nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418)
-
ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482)
-
normalize-url: ReDoS for data URLs (CVE-2021-33502)
-
nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)
-
nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)
-
html-parse-stringify: Regular Expression DoS (CVE-2021-23346)
-
openssl: incorrect SSLv2 rollback protection (CVE-2021-23839)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Bugs:
-
RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444)
-
cluster became offline after apiserver health check (BZ# 1942589)
-
Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913444 - RFE Make the source code for the endpoint-metrics-operator public 1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull 1927520 - RHACM 2.3.0 images 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms 1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call 1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS 1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service 1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service 1942589 - cluster became offline after apiserver health check 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character 1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command 1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions 1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id 1983131 - Defragmenting an etcd member doesn't reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters
- Bugs fixed (https://bugzilla.redhat.com/):
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
Bug Fix(es):
-
WMCO patch pub-key-hash annotation to Linux node (BZ#1945248)
-
LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath (BZ#1952917)
-
Telemetry info not completely available to identify windows nodes (BZ#1955319)
-
WMCO incorrectly shows node as ready after a failed configuration (BZ#1956412)
-
kube-proxy service terminated unexpectedly after recreated LB service (BZ#1963263)
-
Solution:
For Windows Machine Config Operator upgrades, see the following documentation:
https://docs.openshift.com/container-platform/4.7/windows_containers/window s-node-upgrades.html
- Bugs fixed (https://bugzilla.redhat.com/):
1945248 - WMCO patch pub-key-hash annotation to Linux node 1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM 1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath 1955319 - Telemetry info not completely available to identify windows nodes 1956412 - WMCO incorrectly shows node as ready after a failed configuration 1963263 - kube-proxy service terminated unexpectedly after recreated LB service
- Bugs fixed (https://bugzilla.redhat.com/):
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
- JIRA issues fixed (https://issues.jboss.org/):
TRACING-1725 - Elasticsearch operator reports x509 errors communicating with ElasticSearch in OpenShift Service Mesh project
- Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2021:2122
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html
This update fixes the following bug among others:
- Previously, resources for the ClusterOperator were being created early in the update process, which led to update failures when the ClusterOperator had no status condition while Operators were updating. This bug fix changes the timing of when these resources are created. As a result, updates can take place without errors. (BZ#1959238)
Security Fix(es):
- gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-x86_64
The image digest is sha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-s390x
The image digest is sha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le
The image digest is sha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36
All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor
- Solution:
For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html
- Bugs fixed (https://bugzilla.redhat.com/):
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled" 1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go 1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list 1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits 1959238 - CVO creating cloud-controller-manager too early causing upgrade failures 1960103 - SR-IOV obliviously reboot the node 1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated 1962302 - packageserver clusteroperator does not set reason or message for Available condition 1962312 - Deployment considered unhealthy despite being available and at latest generation 1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone 1963115 - Test verify /run filesystem contents failing
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: glibc security and bug fix update Advisory ID: RHSA-2021:0348-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0348 Issue date: 2021-02-02 CVE Names: CVE-2019-25013 CVE-2020-10029 CVE-2020-29573 ==================================================================== 1. Summary:
An update for glibc is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.
Bug Fix(es):
-
glibc: 64bit_strstr_via_64bit_strstr_sse2_unaligned detection fails with large device and inode numbers (BZ#1883162)
-
glibc: Performance regression in ebizzy benchmark (BZ#1889977)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted.
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: glibc-2.17-322.el7_9.src.rpm
x86_64: glibc-2.17-322.el7_9.i686.rpm glibc-2.17-322.el7_9.x86_64.rpm glibc-common-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-devel-2.17-322.el7_9.i686.rpm glibc-devel-2.17-322.el7_9.x86_64.rpm glibc-headers-2.17-322.el7_9.x86_64.rpm glibc-utils-2.17-322.el7_9.x86_64.rpm nscd-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-static-2.17-322.el7_9.i686.rpm glibc-static-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: glibc-2.17-322.el7_9.src.rpm
x86_64: glibc-2.17-322.el7_9.i686.rpm glibc-2.17-322.el7_9.x86_64.rpm glibc-common-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-devel-2.17-322.el7_9.i686.rpm glibc-devel-2.17-322.el7_9.x86_64.rpm glibc-headers-2.17-322.el7_9.x86_64.rpm glibc-utils-2.17-322.el7_9.x86_64.rpm nscd-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-static-2.17-322.el7_9.i686.rpm glibc-static-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: glibc-2.17-322.el7_9.src.rpm
ppc64: glibc-2.17-322.el7_9.ppc.rpm glibc-2.17-322.el7_9.ppc64.rpm glibc-common-2.17-322.el7_9.ppc64.rpm glibc-debuginfo-2.17-322.el7_9.ppc.rpm glibc-debuginfo-2.17-322.el7_9.ppc64.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc64.rpm glibc-devel-2.17-322.el7_9.ppc.rpm glibc-devel-2.17-322.el7_9.ppc64.rpm glibc-headers-2.17-322.el7_9.ppc64.rpm glibc-utils-2.17-322.el7_9.ppc64.rpm nscd-2.17-322.el7_9.ppc64.rpm
ppc64le: glibc-2.17-322.el7_9.ppc64le.rpm glibc-common-2.17-322.el7_9.ppc64le.rpm glibc-debuginfo-2.17-322.el7_9.ppc64le.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc64le.rpm glibc-devel-2.17-322.el7_9.ppc64le.rpm glibc-headers-2.17-322.el7_9.ppc64le.rpm glibc-utils-2.17-322.el7_9.ppc64le.rpm nscd-2.17-322.el7_9.ppc64le.rpm
s390x: glibc-2.17-322.el7_9.s390.rpm glibc-2.17-322.el7_9.s390x.rpm glibc-common-2.17-322.el7_9.s390x.rpm glibc-debuginfo-2.17-322.el7_9.s390.rpm glibc-debuginfo-2.17-322.el7_9.s390x.rpm glibc-debuginfo-common-2.17-322.el7_9.s390.rpm glibc-debuginfo-common-2.17-322.el7_9.s390x.rpm glibc-devel-2.17-322.el7_9.s390.rpm glibc-devel-2.17-322.el7_9.s390x.rpm glibc-headers-2.17-322.el7_9.s390x.rpm glibc-utils-2.17-322.el7_9.s390x.rpm nscd-2.17-322.el7_9.s390x.rpm
x86_64: glibc-2.17-322.el7_9.i686.rpm glibc-2.17-322.el7_9.x86_64.rpm glibc-common-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-devel-2.17-322.el7_9.i686.rpm glibc-devel-2.17-322.el7_9.x86_64.rpm glibc-headers-2.17-322.el7_9.x86_64.rpm glibc-utils-2.17-322.el7_9.x86_64.rpm nscd-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: glibc-debuginfo-2.17-322.el7_9.ppc.rpm glibc-debuginfo-2.17-322.el7_9.ppc64.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc64.rpm glibc-static-2.17-322.el7_9.ppc.rpm glibc-static-2.17-322.el7_9.ppc64.rpm
ppc64le: glibc-debuginfo-2.17-322.el7_9.ppc64le.rpm glibc-debuginfo-common-2.17-322.el7_9.ppc64le.rpm glibc-static-2.17-322.el7_9.ppc64le.rpm
s390x: glibc-debuginfo-2.17-322.el7_9.s390.rpm glibc-debuginfo-2.17-322.el7_9.s390x.rpm glibc-debuginfo-common-2.17-322.el7_9.s390.rpm glibc-debuginfo-common-2.17-322.el7_9.s390x.rpm glibc-static-2.17-322.el7_9.s390.rpm glibc-static-2.17-322.el7_9.s390x.rpm
x86_64: glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-static-2.17-322.el7_9.i686.rpm glibc-static-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: glibc-2.17-322.el7_9.src.rpm
x86_64: glibc-2.17-322.el7_9.i686.rpm glibc-2.17-322.el7_9.x86_64.rpm glibc-common-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-devel-2.17-322.el7_9.i686.rpm glibc-devel-2.17-322.el7_9.x86_64.rpm glibc-headers-2.17-322.el7_9.x86_64.rpm glibc-utils-2.17-322.el7_9.x86_64.rpm nscd-2.17-322.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: glibc-debuginfo-2.17-322.el7_9.i686.rpm glibc-debuginfo-2.17-322.el7_9.x86_64.rpm glibc-debuginfo-common-2.17-322.el7_9.i686.rpm glibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm glibc-static-2.17-322.el7_9.i686.rpm glibc-static-2.17-322.el7_9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-10029 https://access.redhat.com/security/cve/CVE-2020-29573 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYBlBl9zjgjWX9erEAQgCFRAAqJ3gXSXItZZaJIsC+Vmn5UKbxwZemBAY BHN3zi4PdGi/z+NlHHKXXr36UgyGpzjVWM6OpQpNAXQKWLRYA6/zFxFxTrCtn/qS r+O9G85fUuVtfiwx5wKU8uMiSYsrFdWyvc/HwbRWMSjNHUMYl6O3Sb8SeE2XJUUx ZUs4/XZdc763H8tJbdeZ+qdWmZf1lLIJ7hpckOttk8qQkP/e1nGtMpojSRoLs3fc cpV+JI1IvTwp+ytvGNTcbPL0C5qxcKmxTzUVk2iPFj41L4K7hLvScg06vudB+ZnN q7DCvsY2ZO8M6L8ibOUXqnCOt0Yn9BZW2PwicH+Mn+G9s2hfa2Qx19CqaemCSjBF wrqXnQ1gtxpRnBxJwlKO2bvV70edx5muShTxEm933zfu+eZbR/Me/0bg8O0/a22F 3ZawSeiJATxHbAK3E/+b8EbRcxrFGimr0oX05NIk/6BICzu5QRT/wPTt5PlSTaXm cdBxsfbfX+R7+lXiVh9QSbJ9Jdx9UruliFDrdGaA8vTFOih1hXW//n2Dg3CZWdwg 2JSWp6yqMnG7/KQKDZMpYFdQCopLjaxtjIwkWiNiARtf3BLBwntbVUcKo6C/O4Rj gbNSCrZ4J2dH3J5pr5mEGzGAyuqE35NRWsqNq82LRWjx5UM5u0QyBO/Db8oWeqR3 9VNjuVm8k0g=7N1F -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
Security Fix(es):
- golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
- golang: net: lookup functions may return invalid host names (CVE-2021-33195)
- golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
- golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
- golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)
- golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
- golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703). Bugs fixed (https://bugzilla.redhat.com/):
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
5
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"_id": null,
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "33"
},
{
"_id": null,
"model": "ontap select deploy administration utility",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "service processor",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "500f",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"_id": null,
"model": "a250",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "fabric operating system",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"_id": null,
"model": "glibc",
"scope": "lte",
"trust": 1.0,
"vendor": "gnu",
"version": "2.32"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-25013"
}
]
},
"credits": {
"_id": null,
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "163747"
},
{
"db": "PACKETSTORM",
"id": "162837"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "163267"
},
{
"db": "PACKETSTORM",
"id": "163496"
},
{
"db": "PACKETSTORM",
"id": "162877"
},
{
"db": "PACKETSTORM",
"id": "161254"
},
{
"db": "PACKETSTORM",
"id": "164192"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
}
],
"trust": 1.4
},
"cve": "CVE-2019-25013",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2019-25013",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"id": "CVE-2019-25013",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-25013",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2019-25013",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202101-048",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2019-25013",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-25013"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
},
{
"db": "NVD",
"id": "CVE-2019-25013"
},
{
"db": "NVD",
"id": "CVE-2019-25013"
}
]
},
"description": {
"_id": null,
"data": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.3.0 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. See\nthe following Release Notes documentation, which will be updated shortly\nfor this release, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana\ngement_for_kubernetes/2.3/html/release_notes/\n\nSecurity:\n\n* fastify-reply-from: crafted URL allows prefix scape of the proxied\nbackend service (CVE-2021-21321)\n\n* fastify-http-proxy: crafted URL allows prefix scape of the proxied\nbackend service (CVE-2021-21322)\n\n* nodejs-netmask: improper input validation of octal input data\n(CVE-2021-28918)\n\n* redis: Integer overflow via STRALGO LCS command (CVE-2021-29477)\n\n* redis: Integer overflow via COPY command for large intsets\n(CVE-2021-29478)\n\n* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)\n\n* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions\n(CVE-2020-28500)\n\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing\n- -u- extension (CVE-2020-28851)\n\n* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing\nbcp47 tag (CVE-2020-28852)\n\n* nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377)\n\n* oras: zip-slip vulnerability via oras-pull (CVE-2021-21272)\n\n* redis: integer overflow when configurable limit for maximum supported\nbulk input size is too big on 32-bit platforms (CVE-2021-21309)\n\n* nodejs-lodash: command injection via template (CVE-2021-23337)\n\n* nodejs-hosted-git-info: Regular Expression denial of service via\nshortcutMatch in fromUrl() (CVE-2021-23362)\n\n* browserslist: parsing of invalid queries could result in Regular\nExpression Denial of Service (ReDoS) (CVE-2021-23364)\n\n* nodejs-postcss: Regular expression denial of service during source map\nparsing (CVE-2021-23368)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile\ntemplates with strict:true option (CVE-2021-23369)\n\n* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in\nlib/previous-map.js (CVE-2021-23382)\n\n* nodejs-handlebars: Remote code execution when compiling untrusted compile\ntemplates with compat:true option (CVE-2021-23383)\n\n* openssl: integer overflow in CipherUpdate (CVE-2021-23840)\n\n* openssl: NULL pointer dereference in X509_issuer_and_serial_hash()\n(CVE-2021-23841)\n\n* nodejs-ua-parser-js: ReDoS via malicious User-Agent header\n(CVE-2021-27292)\n\n* grafana: snapshot feature allow an unauthenticated remote attacker to\ntrigger a DoS via a remote API call (CVE-2021-27358)\n\n* nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)\n\n* nodejs-netmask: incorrectly parses an IP address that has octal integer\nwith invalid character (CVE-2021-29418)\n\n* ulikunitz/xz: Infinite loop in readUvarint allows for denial of service\n(CVE-2021-29482)\n\n* normalize-url: ReDoS for data URLs (CVE-2021-33502)\n\n* nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623)\n\n* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe\n(CVE-2021-23343)\n\n* html-parse-stringify: Regular Expression DoS (CVE-2021-23346)\n\n* openssl: incorrect SSLv2 rollback protection (CVE-2021-23839)\n\nFor more details about the security issues, including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npages listed in the References section. \n\nBugs:\n\n* RFE Make the source code for the endpoint-metrics-operator public (BZ#\n1913444)\n\n* cluster became offline after apiserver health check (BZ# 1942589)\n\n3. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):\n\n1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension\n1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag\n1913444 - RFE Make the source code for the endpoint-metrics-operator public\n1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull\n1927520 - RHACM 2.3.0 images\n1928937 - CVE-2021-23337 nodejs-lodash: command injection via template\n1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions\n1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection\n1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash()\n1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate\n1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms\n1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization\n1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string\n1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application\n1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header\n1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call\n1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS\n1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service\n1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service\n1942589 - cluster became offline after apiserver health check\n1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()\n1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character\n1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data\n1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service\n1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option\n1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing\n1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js\n1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service\n1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)\n1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option\n1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe\n1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command\n1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets\n1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs\n1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method\n1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions\n1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id\n1983131 - Defragmenting an etcd member doesn\u0027t reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation\n\n5. \n\nBug Fix(es):\n\n* WMCO patch pub-key-hash annotation to Linux node (BZ#1945248)\n\n* LoadBalancer Service type with invalid external loadbalancer IP breaks\nthe datapath (BZ#1952917)\n\n* Telemetry info not completely available to identify windows nodes\n(BZ#1955319)\n\n* WMCO incorrectly shows node as ready after a failed configuration\n(BZ#1956412)\n\n* kube-proxy service terminated unexpectedly after recreated LB service\n(BZ#1963263)\n\n3. Solution:\n\nFor Windows Machine Config Operator upgrades, see the following\ndocumentation:\n\nhttps://docs.openshift.com/container-platform/4.7/windows_containers/window\ns-node-upgrades.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1945248 - WMCO patch pub-key-hash annotation to Linux node\n1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don\u0027t create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM\n1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath\n1955319 - Telemetry info not completely available to identify windows nodes\n1956412 - WMCO incorrectly shows node as ready after a failed configuration\n1963263 - kube-proxy service terminated unexpectedly after recreated LB service\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers\n1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nTRACING-1725 - Elasticsearch operator reports x509 errors communicating with ElasticSearch in OpenShift Service Mesh project\n\n6. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.7.13. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2021:2122\n\nSpace precludes documenting all of the container images in this advisory. \nSee the following Release Notes documentation, which will be updated\nshortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel\nease-notes.html\n\nThis update fixes the following bug among others:\n\n* Previously, resources for the ClusterOperator were being created early in\nthe update process, which led to update failures when the ClusterOperator\nhad no status condition while Operators were updating. This bug fix changes\nthe timing of when these resources are created. As a result, updates can\ntake place without errors. (BZ#1959238)\n\nSecurity Fix(es):\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index\nvalidation (CVE-2021-3121)\n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.7.13-x86_64\n\nThe image digest is\nsha256:783a2c963f35ccab38e82e6a8c7fa954c3a4551e07d2f43c06098828dd986ed4\n\n(For s390x architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.7.13-s390x\n\nThe image digest is\nsha256:4cf44e68413acad063203e1ee8982fd01d8b9c1f8643a5b31cd7ff341b3199cd\n\n(For ppc64le architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.7.13-ppc64le\n\nThe image digest is\nsha256:d47ce972f87f14f1f3c5d50428d2255d1256dae3f45c938ace88547478643e36\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor\n\n3. Solution:\n\nFor OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster\n- -cli.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation\n1923268 - [Assisted-4.7] [Staging] Using two both spelling \"canceled\" \"cancelled\"\n1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go\n1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list\n1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits\n1959238 - CVO creating cloud-controller-manager too early causing upgrade failures\n1960103 - SR-IOV obliviously reboot the node\n1961941 - Local Storage Operator using LocalVolume CR fails to create PV\u0027s when backend storage failure is simulated\n1962302 - packageserver clusteroperator does not set reason or message for Available condition\n1962312 - Deployment considered unhealthy despite being available and at latest generation\n1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone\n1963115 - Test verify /run filesystem contents failing\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: glibc security and bug fix update\nAdvisory ID: RHSA-2021:0348-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:0348\nIssue date: 2021-02-02\nCVE Names: CVE-2019-25013 CVE-2020-10029 CVE-2020-29573\n====================================================================\n1. Summary:\n\nAn update for glibc is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the name\nservice cache daemon (nscd) used by multiple programs on the system. \nWithout these libraries, the Linux system cannot function correctly. \n\nBug Fix(es):\n\n* glibc: 64bit_strstr_via_64bit_strstr_sse2_unaligned detection fails with\nlarge device and inode numbers (BZ#1883162)\n\n* glibc: Performance regression in ebizzy benchmark (BZ#1889977)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the glibc library\nmust be restarted, or the system rebooted. \n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nglibc-2.17-322.el7_9.src.rpm\n\nx86_64:\nglibc-2.17-322.el7_9.i686.rpm\nglibc-2.17-322.el7_9.x86_64.rpm\nglibc-common-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-devel-2.17-322.el7_9.i686.rpm\nglibc-devel-2.17-322.el7_9.x86_64.rpm\nglibc-headers-2.17-322.el7_9.x86_64.rpm\nglibc-utils-2.17-322.el7_9.x86_64.rpm\nnscd-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-static-2.17-322.el7_9.i686.rpm\nglibc-static-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nglibc-2.17-322.el7_9.src.rpm\n\nx86_64:\nglibc-2.17-322.el7_9.i686.rpm\nglibc-2.17-322.el7_9.x86_64.rpm\nglibc-common-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-devel-2.17-322.el7_9.i686.rpm\nglibc-devel-2.17-322.el7_9.x86_64.rpm\nglibc-headers-2.17-322.el7_9.x86_64.rpm\nglibc-utils-2.17-322.el7_9.x86_64.rpm\nnscd-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-static-2.17-322.el7_9.i686.rpm\nglibc-static-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nglibc-2.17-322.el7_9.src.rpm\n\nppc64:\nglibc-2.17-322.el7_9.ppc.rpm\nglibc-2.17-322.el7_9.ppc64.rpm\nglibc-common-2.17-322.el7_9.ppc64.rpm\nglibc-debuginfo-2.17-322.el7_9.ppc.rpm\nglibc-debuginfo-2.17-322.el7_9.ppc64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc64.rpm\nglibc-devel-2.17-322.el7_9.ppc.rpm\nglibc-devel-2.17-322.el7_9.ppc64.rpm\nglibc-headers-2.17-322.el7_9.ppc64.rpm\nglibc-utils-2.17-322.el7_9.ppc64.rpm\nnscd-2.17-322.el7_9.ppc64.rpm\n\nppc64le:\nglibc-2.17-322.el7_9.ppc64le.rpm\nglibc-common-2.17-322.el7_9.ppc64le.rpm\nglibc-debuginfo-2.17-322.el7_9.ppc64le.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc64le.rpm\nglibc-devel-2.17-322.el7_9.ppc64le.rpm\nglibc-headers-2.17-322.el7_9.ppc64le.rpm\nglibc-utils-2.17-322.el7_9.ppc64le.rpm\nnscd-2.17-322.el7_9.ppc64le.rpm\n\ns390x:\nglibc-2.17-322.el7_9.s390.rpm\nglibc-2.17-322.el7_9.s390x.rpm\nglibc-common-2.17-322.el7_9.s390x.rpm\nglibc-debuginfo-2.17-322.el7_9.s390.rpm\nglibc-debuginfo-2.17-322.el7_9.s390x.rpm\nglibc-debuginfo-common-2.17-322.el7_9.s390.rpm\nglibc-debuginfo-common-2.17-322.el7_9.s390x.rpm\nglibc-devel-2.17-322.el7_9.s390.rpm\nglibc-devel-2.17-322.el7_9.s390x.rpm\nglibc-headers-2.17-322.el7_9.s390x.rpm\nglibc-utils-2.17-322.el7_9.s390x.rpm\nnscd-2.17-322.el7_9.s390x.rpm\n\nx86_64:\nglibc-2.17-322.el7_9.i686.rpm\nglibc-2.17-322.el7_9.x86_64.rpm\nglibc-common-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-devel-2.17-322.el7_9.i686.rpm\nglibc-devel-2.17-322.el7_9.x86_64.rpm\nglibc-headers-2.17-322.el7_9.x86_64.rpm\nglibc-utils-2.17-322.el7_9.x86_64.rpm\nnscd-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nglibc-debuginfo-2.17-322.el7_9.ppc.rpm\nglibc-debuginfo-2.17-322.el7_9.ppc64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc64.rpm\nglibc-static-2.17-322.el7_9.ppc.rpm\nglibc-static-2.17-322.el7_9.ppc64.rpm\n\nppc64le:\nglibc-debuginfo-2.17-322.el7_9.ppc64le.rpm\nglibc-debuginfo-common-2.17-322.el7_9.ppc64le.rpm\nglibc-static-2.17-322.el7_9.ppc64le.rpm\n\ns390x:\nglibc-debuginfo-2.17-322.el7_9.s390.rpm\nglibc-debuginfo-2.17-322.el7_9.s390x.rpm\nglibc-debuginfo-common-2.17-322.el7_9.s390.rpm\nglibc-debuginfo-common-2.17-322.el7_9.s390x.rpm\nglibc-static-2.17-322.el7_9.s390.rpm\nglibc-static-2.17-322.el7_9.s390x.rpm\n\nx86_64:\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-static-2.17-322.el7_9.i686.rpm\nglibc-static-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nglibc-2.17-322.el7_9.src.rpm\n\nx86_64:\nglibc-2.17-322.el7_9.i686.rpm\nglibc-2.17-322.el7_9.x86_64.rpm\nglibc-common-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-devel-2.17-322.el7_9.i686.rpm\nglibc-devel-2.17-322.el7_9.x86_64.rpm\nglibc-headers-2.17-322.el7_9.x86_64.rpm\nglibc-utils-2.17-322.el7_9.x86_64.rpm\nnscd-2.17-322.el7_9.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nglibc-debuginfo-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-2.17-322.el7_9.x86_64.rpm\nglibc-debuginfo-common-2.17-322.el7_9.i686.rpm\nglibc-debuginfo-common-2.17-322.el7_9.x86_64.rpm\nglibc-static-2.17-322.el7_9.i686.rpm\nglibc-static-2.17-322.el7_9.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-25013\nhttps://access.redhat.com/security/cve/CVE-2020-10029\nhttps://access.redhat.com/security/cve/CVE-2020-29573\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYBlBl9zjgjWX9erEAQgCFRAAqJ3gXSXItZZaJIsC+Vmn5UKbxwZemBAY\nBHN3zi4PdGi/z+NlHHKXXr36UgyGpzjVWM6OpQpNAXQKWLRYA6/zFxFxTrCtn/qS\nr+O9G85fUuVtfiwx5wKU8uMiSYsrFdWyvc/HwbRWMSjNHUMYl6O3Sb8SeE2XJUUx\nZUs4/XZdc763H8tJbdeZ+qdWmZf1lLIJ7hpckOttk8qQkP/e1nGtMpojSRoLs3fc\ncpV+JI1IvTwp+ytvGNTcbPL0C5qxcKmxTzUVk2iPFj41L4K7hLvScg06vudB+ZnN\nq7DCvsY2ZO8M6L8ibOUXqnCOt0Yn9BZW2PwicH+Mn+G9s2hfa2Qx19CqaemCSjBF\nwrqXnQ1gtxpRnBxJwlKO2bvV70edx5muShTxEm933zfu+eZbR/Me/0bg8O0/a22F\n3ZawSeiJATxHbAK3E/+b8EbRcxrFGimr0oX05NIk/6BICzu5QRT/wPTt5PlSTaXm\ncdBxsfbfX+R7+lXiVh9QSbJ9Jdx9UruliFDrdGaA8vTFOih1hXW//n2Dg3CZWdwg\n2JSWp6yqMnG7/KQKDZMpYFdQCopLjaxtjIwkWiNiARtf3BLBwntbVUcKo6C/O4Rj\ngbNSCrZ4J2dH3J5pr5mEGzGAyuqE35NRWsqNq82LRWjx5UM5u0QyBO/Db8oWeqR3\n9VNjuVm8k0g=7N1F\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nSecurity Fix(es):\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to\npanic\n(CVE-2021-34558)\n* golang: net: lookup functions may return invalid host names\n(CVE-2021-33195)\n* golang: net/http/httputil: ReverseProxy forwards connection headers if\nfirst one is empty (CVE-2021-33197)\n* golang: match/big.Rat: may cause a panic or an unrecoverable fatal error\nif passed inputs with very large exponents (CVE-2021-33198)\n* golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a\ncustom TokenReader (CVE-2021-27918)\n* golang: net/http: panic in ReadRequest and ReadResponse when reading a\nvery large header (CVE-2021-31525)\n* golang: archive/zip: malformed archive may cause panic or memory\nexhaustion (CVE-2021-33196)\n\nIt was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196\nhave been incorrectly mentioned as fixed in RHSA for Serverless client kn\n1.16.0. This has been fixed (CVE-2021-3703). Bugs fixed (https://bugzilla.redhat.com/):\n\n1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic\n1983651 - Release of OpenShift Serverless Serving 1.17.0\n1983654 - Release of OpenShift Serverless Eventing 1.17.0\n1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names\n1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty\n1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents\n1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-25013"
},
{
"db": "VULMON",
"id": "CVE-2019-25013"
},
{
"db": "PACKETSTORM",
"id": "163747"
},
{
"db": "PACKETSTORM",
"id": "162837"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "163267"
},
{
"db": "PACKETSTORM",
"id": "163496"
},
{
"db": "PACKETSTORM",
"id": "162877"
},
{
"db": "PACKETSTORM",
"id": "161254"
},
{
"db": "PACKETSTORM",
"id": "164192"
}
],
"trust": 1.71
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2019-25013",
"trust": 2.5
},
{
"db": "PACKETSTORM",
"id": "163747",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "162837",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "163267",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "163496",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "162877",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "161254",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164192",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "162634",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163789",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163276",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "166279",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "168011",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163406",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0868",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6426",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2228",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2180",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0875",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0373",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0728",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0743",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2711",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1866",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3141",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4058",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2657",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1820",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5140",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1743",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4222",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2604",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.1025",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2365",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2781",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022011038",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022031430",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071310",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021070604",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021062703",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021062315",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071516",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021122914",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092220",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-25013",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163257",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-25013"
},
{
"db": "PACKETSTORM",
"id": "163747"
},
{
"db": "PACKETSTORM",
"id": "162837"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "163267"
},
{
"db": "PACKETSTORM",
"id": "163496"
},
{
"db": "PACKETSTORM",
"id": "162877"
},
{
"db": "PACKETSTORM",
"id": "161254"
},
{
"db": "PACKETSTORM",
"id": "164192"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
},
{
"db": "NVD",
"id": "CVE-2019-25013"
}
]
},
"id": "VAR-202101-0119",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.465277775
},
"last_update_date": "2026-03-09T19:57:34.069000Z",
"patch": {
"_id": null,
"data": [
{
"title": "GNU C Library Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=138312"
},
{
"title": "Debian CVElist Bug Report Logs: glibc: CVE-2019-25013",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=7073abdc63eae799f90555726b8fbe41"
},
{
"title": "Red Hat: Moderate: glibc security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20210348 - Security Advisory"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1599",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1599"
},
{
"title": "Ubuntu Security Notice: USN-5768-1: GNU C Library vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-5768-1"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2019-25013 log"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1511",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1511"
},
{
"title": "Arch Linux Advisories: [ASA-202102-18] glibc: denial of service",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202102-18"
},
{
"title": "Arch Linux Advisories: [ASA-202102-17] lib32-glibc: denial of service",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202102-17"
},
{
"title": "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.1.3 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20210607 - Security Advisory"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1605",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1605"
},
{
"title": "Ubuntu Security Notice: USN-5310-1: GNU C Library vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-5310-1"
},
{
"title": "Red Hat: Important: Service Telemetry Framework 1.4 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225924 - Security Advisory"
},
{
"title": "IBM: Security Bulletin: Cloud Pak for Security contains security vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=08f19f0be4d5dcf7486e5abcdb671477"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220056 - Security Advisory"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2019-25013 "
},
{
"title": "ecr-api",
"trust": 0.1,
"url": "https://github.com/YaleSpinup/ecr-api "
},
{
"title": "sanction",
"trust": 0.1,
"url": "https://github.com/ctc-oss/sanction "
},
{
"title": "release-the-code-litecoin",
"trust": 0.1,
"url": "https://github.com/brandoncamenisch/release-the-code-litecoin "
},
{
"title": "interview_project",
"trust": 0.1,
"url": "https://github.com/domyrtille/interview_project "
},
{
"title": "trivy-multiscanner",
"trust": 0.1,
"url": "https://github.com/onzack/trivy-multiscanner "
},
{
"title": "spring-boot-app-with-log4j-vuln",
"trust": 0.1,
"url": "https://github.com/nedenwalker/spring-boot-app-with-log4j-vuln "
},
{
"title": "giant-squid",
"trust": 0.1,
"url": "https://github.com/dispera/giant-squid "
},
{
"title": "devops-demo",
"trust": 0.1,
"url": "https://github.com/epequeno/devops-demo "
},
{
"title": "spring-boot-app-using-gradle",
"trust": 0.1,
"url": "https://github.com/nedenwalker/spring-boot-app-using-gradle "
},
{
"title": "xyz-solutions",
"trust": 0.1,
"url": "https://github.com/sauliuspr/xyz-solutions "
},
{
"title": "myapp-container-jaxrs",
"trust": 0.1,
"url": "https://github.com/akiraabe/myapp-container-jaxrs "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-25013"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-125",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-25013"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20210205-0004/"
},
{
"trust": 1.6,
"url": "https://security.gentoo.org/glsa/202107-07"
},
{
"trust": 1.6,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html"
},
{
"trust": 1.6,
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24973"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25013"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r32d767ac804e9b8aad4355bb85960a6a1385eab7afff549a5e98660f%40%3cjira.kafka.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r5af4430421bb6f9973294691a7904bbd260937e9eef96b20556f43ff%40%3cjira.kafka.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r750eee18542bc02bd8350861c424ee60a9b9b225568fa09436a37ece%40%3cissues.zookeeper.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r448bb851cc8e6e3f93f3c28c70032b37062625d81214744474ac49e7%40%3cdev.kafka.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rd2354f9ccce41e494fbadcbc5ad87218de6ec0fff8a7b54c8462226c%40%3cissues.zookeeper.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r7a2e94adfe0a2f0a1d42e4927e8c32ecac97d37db9cb68095fe9ddbc%40%3cdev.zookeeper.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3cdev.mina.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r4806a391091e082bdea17266452ca656ebc176e51bb3932733b3a0a2%40%3cjira.kafka.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/tvcunlq3hxgs4vpuqkwtjgraw2ktfgxs/"
},
{
"trust": 1.0,
"url": "https://sourceware.org/git/?p=glibc.git%3ba=commit%3bh=ee7a3144c9922808181009b7b3e50e852fb4999b"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4y6tx47p47kabsfol26fldnvcwxdkdez/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r499e4f96d0b5109ef083f2feccd33c51650c1b7d7068aa3bd47efca9%40%3cjira.kafka.apache.org%3e"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2019-25013"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-8286"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-28196"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-15358"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-13434"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-8231"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-29362"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-8285"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10228"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2019-9169"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-29361"
},
{
"trust": 0.7,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9169"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2021-3326"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2019-2708"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-8927"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-29363"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2708"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2016-10228"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-8284"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-27618"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13434"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r5af4430421bb6f9973294691a7904bbd260937e9eef96b20556f43ff@%3cjira.kafka.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r7a2e94adfe0a2f0a1d42e4927e8c32ecac97d37db9cb68095fe9ddbc@%3cdev.zookeeper.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r448bb851cc8e6e3f93f3c28c70032b37062625d81214744474ac49e7@%3cdev.kafka.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r4806a391091e082bdea17266452ca656ebc176e51bb3932733b3a0a2@%3cjira.kafka.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3cdev.mina.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rd2354f9ccce41e494fbadcbc5ad87218de6ec0fff8a7b54c8462226c@%3cissues.zookeeper.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/tvcunlq3hxgs4vpuqkwtjgraw2ktfgxs/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r750eee18542bc02bd8350861c424ee60a9b9b225568fa09436a37ece@%3cissues.zookeeper.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r499e4f96d0b5109ef083f2feccd33c51650c1b7d7068aa3bd47efca9@%3cjira.kafka.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4y6tx47p47kabsfol26fldnvcwxdkdez/"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r32d767ac804e9b8aad4355bb85960a6a1385eab7afff549a5e98660f@%3cjira.kafka.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164192/red-hat-security-advisory-2021-3556-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168011/red-hat-security-advisory-2022-5924-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163789/red-hat-security-advisory-2021-3119-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-contains-security-vulnerabilities/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1866"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2657"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1743"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1820"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2711"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071310"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163747/red-hat-security-advisory-2021-3016-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2781"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5140"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0373/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022031430"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/166279/red-hat-security-advisory-2022-0056-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2365"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2180"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021122914"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/162634/red-hat-security-advisory-2021-1585-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163276/red-hat-security-advisory-2021-2543-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0875"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/glibc-out-of-bounds-memory-reading-via-iconv-euc-kr-encoding-34360"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.1025"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0728"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163496/red-hat-security-advisory-2021-2705-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0743"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2228"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021062703"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092220"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0868"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6520474"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2604"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/162837/red-hat-security-advisory-2021-2136-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163267/red-hat-security-advisory-2021-2532-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022011038"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/161254/red-hat-security-advisory-2021-0348-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021070604"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071516"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/162877/red-hat-security-advisory-2021-2121-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021062315"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4058"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4222"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163406/gentoo-linux-security-advisory-202107-07.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3141"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6426"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2021-20305"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15358"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14502"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27618"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2017-14502"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28196"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29362"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29361"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2019-3842"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-13776"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-24977"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3842"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-27219"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-3449"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-3450"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13776"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8284"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8285"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8286"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8927"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29363"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8231"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-26116"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-27619"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-3177"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-23336"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27219"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20305"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3326"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24977"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3520"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3537"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3518"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3516"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3517"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3541"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-20271"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14347"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-36322"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-12114"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25712"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12114"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-13543"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-27835"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9951"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25704"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3121"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10878"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19528"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9948"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-13012"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-0431"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14363"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-13584"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-26137"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-18811"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14360"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-19528"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-12464"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14314"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-12362"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14356"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-27786"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25643"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9983"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-24394"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-0431"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-0342"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-18811"
},
{
"trust": 0.2,
"url": "https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14345"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14344"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-19523"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14362"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14361"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10543"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25285"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-35508"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12362"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25212"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19523"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-28974"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10543"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-15437"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13012"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25284"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14346"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10878"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11608"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-11608"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12464"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27918"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-31525"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-31525"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-27918"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-33196"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28469"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28500"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20934"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29418"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28852"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33034"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28092"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28851"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33909"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29482"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23337"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-32399"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27358"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23369"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21321"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23368"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11668"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23362"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23364"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23343"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21309"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33502"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23841"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23383"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28918"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28851"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3560"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28852"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23840"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33033"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20934"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-25217"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28469"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3016"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3377"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28500"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21272"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29477"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27292"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23346"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-29478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11668"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23839"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33623"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21322"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23382"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33910"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14346"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14345"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13543"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13584"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14347"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14360"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2136"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14314"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14344"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14356"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-25736"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3450"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2130"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/windows_containers/window"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-25736"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3449"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26116"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/jaeger/jaeger_install/rhb"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3114"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2532"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27619"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3114"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2705"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25039"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15586"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/updating/updating-cluster"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25037"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36242"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25037"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28935"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25034"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-16845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25035"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14866"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25038"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14866"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21645"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25040"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27783"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24330"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25042"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25042"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25038"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-25659"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25041"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25036"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21643"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-25215"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24331"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25036"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30465"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25035"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21644"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2121"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24332"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25039"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25040"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25041"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2122"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21642"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25034"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10029"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10029"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:0348"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29573"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29573"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33195"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33197"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33195"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33198"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33198"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-34558"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3556"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33197"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20271"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3421"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3703"
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "163747"
},
{
"db": "PACKETSTORM",
"id": "162837"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "163267"
},
{
"db": "PACKETSTORM",
"id": "163496"
},
{
"db": "PACKETSTORM",
"id": "162877"
},
{
"db": "PACKETSTORM",
"id": "161254"
},
{
"db": "PACKETSTORM",
"id": "164192"
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
},
{
"db": "NVD",
"id": "CVE-2019-25013"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULMON",
"id": "CVE-2019-25013",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "163747",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "162837",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "163257",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "163267",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "163496",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "162877",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "161254",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "164192",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202101-048",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2019-25013",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2021-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2019-25013",
"ident": null
},
{
"date": "2021-08-06T14:02:37",
"db": "PACKETSTORM",
"id": "163747",
"ident": null
},
{
"date": "2021-05-27T13:28:54",
"db": "PACKETSTORM",
"id": "162837",
"ident": null
},
{
"date": "2021-06-23T15:44:15",
"db": "PACKETSTORM",
"id": "163257",
"ident": null
},
{
"date": "2021-06-23T16:08:25",
"db": "PACKETSTORM",
"id": "163267",
"ident": null
},
{
"date": "2021-07-14T15:02:07",
"db": "PACKETSTORM",
"id": "163496",
"ident": null
},
{
"date": "2021-06-01T14:45:29",
"db": "PACKETSTORM",
"id": "162877",
"ident": null
},
{
"date": "2021-02-02T16:12:10",
"db": "PACKETSTORM",
"id": "161254",
"ident": null
},
{
"date": "2021-09-17T16:04:56",
"db": "PACKETSTORM",
"id": "164192",
"ident": null
},
{
"date": "2021-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202101-048",
"ident": null
},
{
"date": "2021-01-04T18:15:13.027000",
"db": "NVD",
"id": "CVE-2019-25013",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2023-11-09T00:00:00",
"db": "VULMON",
"id": "CVE-2019-25013",
"ident": null
},
{
"date": "2022-12-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202101-048",
"ident": null
},
{
"date": "2025-06-09T16:15:30.703000",
"db": "NVD",
"id": "CVE-2019-25013",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "GNU C Library Buffer error vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202101-048"
}
],
"trust": 0.6
}
}