Ubuntu Security Notice 2306-3 - USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This update fixes the problem. Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS. It was discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. Stephane Chazelas discovered that the GNU C Library incorrectly handled locale environment variables. An attacker could use this issue to possibly bypass certain restrictions such as the ForceCommand restrictions in OpenSSH. David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C Library incorrectly handled posix_spawn_file_actions_addopen() path arguments. An attacker could use this issue to cause a denial of service. Various other issues were also addressed.
f2603aa7d9226b9f4831dcb8df5250b85e04ad8455ad6664e7dbbc9ad9a8c435
============================================================================
Ubuntu Security Notice USN-2306-3
September 08, 2014
eglibc regression
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
USN-2306-1 introduced a regression in the GNU C Library.
Software Description:
- eglibc: GNU C Library
Details:
USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)
It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)
Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)
David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
libc6 2.11.1-0ubuntu7.17
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2306-3
http://www.ubuntu.com/usn/usn-2306-1
https://launchpad.net/bugs/1364584
Package Information:
https://launchpad.net/ubuntu/+source/eglibc/2.11.1-0ubuntu7.17