Bug 20552

Summary: glibc new security issues CVE-2015-5180 CVE-2015-8982 CVE-2015-8983 CVE-2015-8984 CVE-2016-6323
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: glibc CVE:
Status comment:

Description David Walser 2017-03-22 11:20:51 CET 
Ubuntu has issued an advisory on March 20:
https://www.ubuntu.com/usn/usn-3239-1/

The fix for CVE-2015-5180 looks to have been reverted on March 21:
https://www.ubuntu.com/usn/usn-3239-2/

I don't know if we have fixed any of these CVEs, as I don't have a record of them.
Comment 1 Thomas Backlund 2017-03-25 19:24:50 CET 
Yeah, we already have most of them.

CVE-2015-898{2-4] was patched before mga5 was released

MGASA-2016-0206 fixed: CVE-2016-1234, CVE-2016-3706
MGASA-2016-0270 fixed: CVE-2016-4429


Mga5 and Cauldron needs fixes for CVE-2015-5180, CVE-2016-5417


CVE-2016-6323 is a Cauldron only as its specific to arm


The reason for CVE-2015-5180 being reverted in Ubuntu is that they enforce abi stability (no reboot needed) since as soon as it's installed the dns resolver will stop working until the system is rebooted as an internal symbol changes affecting glibc libnss_dns and libresolv

We however always tell people to reboot after glibc update (something we need to highlight in the mga5 advisory)

If we dont fix it in mga5, and only fix it in mga6 all online upgrades will be broken...
Comment 2 Thomas Backlund 2017-03-25 23:20:29 CET 
Cauldron fully patched as of 2.22-22.mga6


Adisory:

Updated glibc packages fix security vulnerabilities:

Florian Weimer discovered a NULL pointer dereference in the DNS
resolver of the GNU C Library. An attacker could use this to cause
a denial of service (CVE-2015-5180).

Tim Ruehsen discovered that the getaddrinfo() implementation in the
GNU C Library did not properly track memory allocations. An attacker
could use this to cause a denial of service (CVE-2016-5417).

SRPM:
glibc-2.20-24.mga5.src.rpm

i586:
glibc-2.20-24.mga5.i586.rpm
glibc-devel-2.20-24.mga5.i586.rpm
glibc-doc-2.20-24.mga5.noarch.rpm
glibc-i18ndata-2.20-24.mga5.i586.rpm
glibc-profile-2.20-24.mga5.i586.rpm
glibc-static-devel-2.20-24.mga5.i586.rpm
glibc-utils-2.20-24.mga5.i586.rpm
nscd-2.20-24.mga5.i586.rpm

x86_64:
glibc-2.20-24.mga5.x86_64.rpm
glibc-devel-2.20-24.mga5.x86_64.rpm
glibc-doc-2.20-24.mga5.noarch.rpm
glibc-i18ndata-2.20-24.mga5.x86_64.rpm
glibc-profile-2.20-24.mga5.x86_64.rpm
glibc-static-devel-2.20-24.mga5.x86_64.rpm
glibc-utils-2.20-24.mga5.x86_64.rpm
nscd-2.20-24.mga5.x86_64.rpm

Version: Cauldron => 5
Assignee: tmb => qa-bugs

Comment 3 Dave Hodgins 2017-03-26 07:18:04 CEST 
Tested on both i586 and x86_64, both real hardware and under vb.

Validating the update

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2017-03-27 15:56:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0091.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED