Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2002-0684
Vulnerability from cvelistv5
Published
2002-07-31 04:00
Modified
2024-08-08 02:56
Severity ?
EPSS score ?
Summary
Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T02:56:38.725Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "MDKSA-2002:050",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"name": "CLSA-2002:507",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"name": "VU#542971",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"name": "20020704 Re: Remote buffer overflow in resolver code of libc",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"name": "RHSA-2002:139",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2002-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-17T13:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "MDKSA-2002:050",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"name": "CLSA-2002:507",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"name": "VU#542971",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"name": "20020704 Re: Remote buffer overflow in resolver code of libc",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"name": "RHSA-2002:139",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "MDKSA-2002:050",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"name": "CLSA-2002:507",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"name": "VU#542971",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"name": "20020704 Re: Remote buffer overflow in resolver code of libc",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"name": "RHSA-2002:139",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2002-0684",
"datePublished": "2002-07-31T04:00:00",
"dateReserved": "2002-07-11T00:00:00",
"dateUpdated": "2024-08-08T02:56:38.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.2.5\", \"matchCriteriaId\": \"D5272D01-D7FC-41DA-B565-9054AA55FABD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:isc:bind:4.9.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0064E411-C26F-4831-B7C4-63E2E1EF98DF\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.\"}, {\"lang\": \"es\", \"value\": \"Desbordamiento de b\\u00fafer en las funciones de resoluci\\u00f3n de DNS que buscan nombres de red y direcciones, como en BIND 4.9.8 y glibc 2.2.5 y anteriores, permiten que servidores DNS remotos ejecuten c\\u00f3digo arbitrario por medio de una subrutina usada por funciones tales como getnetbyname y getnetbyaddr.\"}]",
"id": "CVE-2002-0684",
"lastModified": "2024-11-20T23:39:38.257",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": true, \"userInteractionRequired\": false}]}",
"published": "2002-08-12T04:00:00.000",
"references": "[{\"url\": \"http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2002-139.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.kb.cert.org/vuls/id/542971\", \"source\": \"cve@mitre.org\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2002-139.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.kb.cert.org/vuls/id/542971\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2002-0684\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2002-08-12T04:00:00.000\",\"lastModified\":\"2024-11-20T23:39:38.257\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.\"},{\"lang\":\"es\",\"value\":\"Desbordamiento de b\u00fafer en las funciones de resoluci\u00f3n de DNS que buscan nombres de red y direcciones, como en BIND 4.9.8 y glibc 2.2.5 y anteriores, permiten que servidores DNS remotos ejecuten c\u00f3digo arbitrario por medio de una subrutina usada por funciones tales como getnetbyname y getnetbyaddr.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":true,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.5\",\"matchCriteriaId\":\"D5272D01-D7FC-41DA-B565-9054AA55FABD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:isc:bind:4.9.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0064E411-C26F-4831-B7C4-63E2E1EF98DF\"}]}]}],\"references\":[{\"url\":\"http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2002-139.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/542971\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2002-139.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/542971\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
rhsa-2002_167
Vulnerability from csaf_redhat
Published
2002-08-06 07:25
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: glibc security update
Notes
Topic
Updated glibc packages are available which fix a buffer overflow in the XDR
decoder and two vulnerabilities in the resolver functions.
[updated 8 aug 2002]
Updated packages have been made available, as the original errata introduced
a bug which could cause calloc() to crash on 32-bit platforms when passed a
size of 0. These updated errata packages contain a patch to correct this bug.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system. Sun RPC is a remote procedure call
framework which allows clients to invoke procedures in a server process
over a network. XDR is a mechanism for encoding data structures for use
with RPC. NFS, NIS, and other network services that are built upon Sun
RPC. The glibc package contains an XDR encoder/decoder derived from Sun's
RPC implementation which was recently demonstrated to be vulnerable to a
heap overflow.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder can result in a heap buffer overflow in glibc 2.2.5 and
earlier. Depending upon the application, this vulnerability may be
exploitable and could lead to arbitrary code execution. (CAN-2002-0391)
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in the /etc/nsswitch.conf file includes the "dns"
entry. By default, Red Hat Linux Advanced Server ships with "networks"
set to "files" and is therefore not vulnerable to this issue.
(CAN-2002-0684)
A related issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
All users should upgrade to these errata packages which contain patches to
the glibc libraries and therefore are not vulnerable to these issues.
Thanks to Solar Designer for providing patches for this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available which fix a buffer overflow in the XDR\ndecoder and two vulnerabilities in the resolver functions.\n\n[updated 8 aug 2002]\nUpdated packages have been made available, as the original errata introduced\na bug which could cause calloc() to crash on 32-bit platforms when passed a\nsize of 0. These updated errata packages contain a patch to correct this bug.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system. Sun RPC is a remote procedure call\nframework which allows clients to invoke procedures in a server process\nover a network. XDR is a mechanism for encoding data structures for use\nwith RPC. NFS, NIS, and other network services that are built upon Sun\nRPC. The glibc package contains an XDR encoder/decoder derived from Sun\u0027s\nRPC implementation which was recently demonstrated to be vulnerable to a\nheap overflow.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder can result in a heap buffer overflow in glibc 2.2.5 and\nearlier. Depending upon the application, this vulnerability may be\nexploitable and could lead to arbitrary code execution. (CAN-2002-0391)\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in the /etc/nsswitch.conf file includes the \"dns\"\nentry. By default, Red Hat Linux Advanced Server ships with \"networks\"\nset to \"files\" and is therefore not vulnerable to this issue.\n(CAN-2002-0684)\n\nA related issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc libraries and therefore are not vulnerable to these issues.\n\nThanks to Solar Designer for providing patches for this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:167",
"url": "https://access.redhat.com/errata/RHSA-2002:167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/285308",
"url": "http://online.securityfocus.com/archive/1/285308"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "external",
"summary": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html",
"url": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_167.json"
}
],
"title": "Red Hat Security Advisory: glibc security update",
"tracking": {
"current_release_date": "2024-11-21T22:26:50+00:00",
"generator": {
"date": "2024-11-21T22:26:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:167",
"initial_release_date": "2002-08-06T07:25:00+00:00",
"revision_history": [
{
"date": "2002-08-06T07:25:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-08-01T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Server"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2002:167
Vulnerability from csaf_redhat
Published
2002-08-06 07:25
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: glibc security update
Notes
Topic
Updated glibc packages are available which fix a buffer overflow in the XDR
decoder and two vulnerabilities in the resolver functions.
[updated 8 aug 2002]
Updated packages have been made available, as the original errata introduced
a bug which could cause calloc() to crash on 32-bit platforms when passed a
size of 0. These updated errata packages contain a patch to correct this bug.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system. Sun RPC is a remote procedure call
framework which allows clients to invoke procedures in a server process
over a network. XDR is a mechanism for encoding data structures for use
with RPC. NFS, NIS, and other network services that are built upon Sun
RPC. The glibc package contains an XDR encoder/decoder derived from Sun's
RPC implementation which was recently demonstrated to be vulnerable to a
heap overflow.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder can result in a heap buffer overflow in glibc 2.2.5 and
earlier. Depending upon the application, this vulnerability may be
exploitable and could lead to arbitrary code execution. (CAN-2002-0391)
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in the /etc/nsswitch.conf file includes the "dns"
entry. By default, Red Hat Linux Advanced Server ships with "networks"
set to "files" and is therefore not vulnerable to this issue.
(CAN-2002-0684)
A related issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
All users should upgrade to these errata packages which contain patches to
the glibc libraries and therefore are not vulnerable to these issues.
Thanks to Solar Designer for providing patches for this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available which fix a buffer overflow in the XDR\ndecoder and two vulnerabilities in the resolver functions.\n\n[updated 8 aug 2002]\nUpdated packages have been made available, as the original errata introduced\na bug which could cause calloc() to crash on 32-bit platforms when passed a\nsize of 0. These updated errata packages contain a patch to correct this bug.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system. Sun RPC is a remote procedure call\nframework which allows clients to invoke procedures in a server process\nover a network. XDR is a mechanism for encoding data structures for use\nwith RPC. NFS, NIS, and other network services that are built upon Sun\nRPC. The glibc package contains an XDR encoder/decoder derived from Sun\u0027s\nRPC implementation which was recently demonstrated to be vulnerable to a\nheap overflow.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder can result in a heap buffer overflow in glibc 2.2.5 and\nearlier. Depending upon the application, this vulnerability may be\nexploitable and could lead to arbitrary code execution. (CAN-2002-0391)\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in the /etc/nsswitch.conf file includes the \"dns\"\nentry. By default, Red Hat Linux Advanced Server ships with \"networks\"\nset to \"files\" and is therefore not vulnerable to this issue.\n(CAN-2002-0684)\n\nA related issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc libraries and therefore are not vulnerable to these issues.\n\nThanks to Solar Designer for providing patches for this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:167",
"url": "https://access.redhat.com/errata/RHSA-2002:167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/285308",
"url": "http://online.securityfocus.com/archive/1/285308"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "external",
"summary": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html",
"url": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_167.json"
}
],
"title": "Red Hat Security Advisory: glibc security update",
"tracking": {
"current_release_date": "2024-11-21T22:26:50+00:00",
"generator": {
"date": "2024-11-21T22:26:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:167",
"initial_release_date": "2002-08-06T07:25:00+00:00",
"revision_history": [
{
"date": "2002-08-06T07:25:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-08-01T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Server"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2002_139
Vulnerability from csaf_redhat
Published
2002-07-25 02:15
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver
Notes
Topic
Updated glibc packages are available to fix two vulnerabilities in the
resolver functions.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in /etc/nsswitch.conf includes the "dns" entry. By
default, Red Hat Linux ships with "networks" set to "files" and
is therefore not vulnerable to this issue. (CAN-2002-0684)
A second, related, issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
These errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium
architecture also include a fix for the strncpy implementation in some
boundary cases.
All users should upgrade to these errata packages which contain patches to
the glibc and glibc-compat libraries and therefore are not vulnerable to
these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available to fix two vulnerabilities in the\nresolver functions.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in /etc/nsswitch.conf includes the \"dns\" entry. By\ndefault, Red Hat Linux ships with \"networks\" set to \"files\" and\nis therefore not vulnerable to this issue. (CAN-2002-0684)\n\nA second, related, issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nThese errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium\narchitecture also include a fix for the strncpy implementation in some\nboundary cases.\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc and glibc-compat libraries and therefore are not vulnerable to\nthese issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:139",
"url": "https://access.redhat.com/errata/RHSA-2002:139"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_139.json"
}
],
"title": "Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver",
"tracking": {
"current_release_date": "2024-11-21T22:26:48+00:00",
"generator": {
"date": "2024-11-21T22:26:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:139",
"initial_release_date": "2002-07-25T02:15:00+00:00",
"revision_history": [
{
"date": "2002-07-25T02:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-07-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2003:212
Vulnerability from csaf_redhat
Published
2003-06-26 22:28
Modified
2024-11-21 22:38
Summary
Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities
Notes
Topic
Updated glibc packages that fix a number of vulnerabilites are now available.
Details
The glibc package contains standard libraries that are used by
multiple programs.
An integer overflow is present in the xdrmem_getbytes() function of glibc
2.3.1 and earlier. Depending upon the application, this vulnerability
could cause buffer overflows and may be exploitable, leading to arbitrary
code execution.
Red Hat would like to thank eEye Digital Security for alerting us to this
issue.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder in glibc 2.2.5 and earlier can result in a heap buffer
overflow. Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.
A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is triggered
by DNS packets larger than 1024 bytes and can cause applications to crash.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the "networks"
database in /etc/nsswitch.conf includes the "dns" entry. By default, Red
Hat Linux ships with "networks" set to "files" and is therefore not
vulnerable to this issue. (CAN-2002-0684)
All users should upgrade to these errata packages, which contain patches to
the glibc libraries and are therefore not vulnerable to these issues.
NOTE: Once the glibc upgrade has been completed, you must either reboot the
system or restart all programs on the system (for example, by using telinit
1 and then switching back to the original runlevel). Rebooting the system
or restarting the system programs is necessary to avoid vulnerable glibc
copies in memory. In addition, one cannot mix old NSS modules or libresolv
with upgraded NSS modules or libresolve in one running application.
Note also that, if sshd is running so that the other services can be
restarted remotely or for a remote reboot during an unattended glibc
upgrade, glibc will also restart sshd.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages that fix a number of vulnerabilites are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries that are used by\nmultiple programs.\n\nAn integer overflow is present in the xdrmem_getbytes() function of glibc\n2.3.1 and earlier. Depending upon the application, this vulnerability\ncould cause buffer overflows and may be exploitable, leading to arbitrary\ncode execution.\n\nRed Hat would like to thank eEye Digital Security for alerting us to this\nissue.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder in glibc 2.2.5 and earlier can result in a heap buffer\noverflow. Depending upon the application, this vulnerability may be\nexploitable and lead to arbitrary code execution.\n\nA read buffer overflow vulnerability exists in the glibc resolver code in\nversions of glibc up to and including 2.2.5. The vulnerability is triggered\nby DNS packets larger than 1024 bytes and can cause applications to crash.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the \"networks\"\ndatabase in /etc/nsswitch.conf includes the \"dns\" entry. By default, Red\nHat Linux ships with \"networks\" set to \"files\" and is therefore not\nvulnerable to this issue. (CAN-2002-0684)\n\nAll users should upgrade to these errata packages, which contain patches to\nthe glibc libraries and are therefore not vulnerable to these issues.\n\nNOTE: Once the glibc upgrade has been completed, you must either reboot the\nsystem or restart all programs on the system (for example, by using telinit\n1 and then switching back to the original runlevel). Rebooting the system\nor restarting the system programs is necessary to avoid vulnerable glibc\ncopies in memory. In addition, one cannot mix old NSS modules or libresolv\nwith upgraded NSS modules or libresolve in one running application.\n\nNote also that, if sshd is running so that the other services can be\nrestarted remotely or for a remote reboot during an unattended glibc\nupgrade, glibc will also restart sshd.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:212",
"url": "https://access.redhat.com/errata/RHSA-2003:212"
},
{
"category": "external",
"summary": "http://www.kb.cert.org/vuls/id/738331",
"url": "http://www.kb.cert.org/vuls/id/738331"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_212.json"
}
],
"title": "Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:38:54+00:00",
"generator": {
"date": "2024-11-21T22:38:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:212",
"initial_release_date": "2003-06-26T22:28:00+00:00",
"revision_history": [
{
"date": "2003-06-26T22:28:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-06-26T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:38:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1146",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616843"
}
],
"notes": [
{
"category": "description",
"text": "The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary (\"read buffer overflow\"), allowing remote attackers to cause a denial of service (crash).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1146"
},
{
"category": "external",
"summary": "RHBZ#1616843",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616843"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1146",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146"
}
],
"release_date": "2002-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0028",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616941"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0028"
},
{
"category": "external",
"summary": "RHBZ#1616941",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616941"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0028",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0028"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028"
}
],
"release_date": "2003-03-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "security flaw"
}
]
}
RHSA-2002:139
Vulnerability from csaf_redhat
Published
2002-07-25 02:15
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver
Notes
Topic
Updated glibc packages are available to fix two vulnerabilities in the
resolver functions.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in /etc/nsswitch.conf includes the "dns" entry. By
default, Red Hat Linux ships with "networks" set to "files" and
is therefore not vulnerable to this issue. (CAN-2002-0684)
A second, related, issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
These errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium
architecture also include a fix for the strncpy implementation in some
boundary cases.
All users should upgrade to these errata packages which contain patches to
the glibc and glibc-compat libraries and therefore are not vulnerable to
these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available to fix two vulnerabilities in the\nresolver functions.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in /etc/nsswitch.conf includes the \"dns\" entry. By\ndefault, Red Hat Linux ships with \"networks\" set to \"files\" and\nis therefore not vulnerable to this issue. (CAN-2002-0684)\n\nA second, related, issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nThese errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium\narchitecture also include a fix for the strncpy implementation in some\nboundary cases.\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc and glibc-compat libraries and therefore are not vulnerable to\nthese issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:139",
"url": "https://access.redhat.com/errata/RHSA-2002:139"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_139.json"
}
],
"title": "Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver",
"tracking": {
"current_release_date": "2024-11-21T22:26:48+00:00",
"generator": {
"date": "2024-11-21T22:26:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:139",
"initial_release_date": "2002-07-25T02:15:00+00:00",
"revision_history": [
{
"date": "2002-07-25T02:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-07-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2002:167
Vulnerability from csaf_redhat
Published
2002-08-06 07:25
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: glibc security update
Notes
Topic
Updated glibc packages are available which fix a buffer overflow in the XDR
decoder and two vulnerabilities in the resolver functions.
[updated 8 aug 2002]
Updated packages have been made available, as the original errata introduced
a bug which could cause calloc() to crash on 32-bit platforms when passed a
size of 0. These updated errata packages contain a patch to correct this bug.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system. Sun RPC is a remote procedure call
framework which allows clients to invoke procedures in a server process
over a network. XDR is a mechanism for encoding data structures for use
with RPC. NFS, NIS, and other network services that are built upon Sun
RPC. The glibc package contains an XDR encoder/decoder derived from Sun's
RPC implementation which was recently demonstrated to be vulnerable to a
heap overflow.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder can result in a heap buffer overflow in glibc 2.2.5 and
earlier. Depending upon the application, this vulnerability may be
exploitable and could lead to arbitrary code execution. (CAN-2002-0391)
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in the /etc/nsswitch.conf file includes the "dns"
entry. By default, Red Hat Linux Advanced Server ships with "networks"
set to "files" and is therefore not vulnerable to this issue.
(CAN-2002-0684)
A related issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
All users should upgrade to these errata packages which contain patches to
the glibc libraries and therefore are not vulnerable to these issues.
Thanks to Solar Designer for providing patches for this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available which fix a buffer overflow in the XDR\ndecoder and two vulnerabilities in the resolver functions.\n\n[updated 8 aug 2002]\nUpdated packages have been made available, as the original errata introduced\na bug which could cause calloc() to crash on 32-bit platforms when passed a\nsize of 0. These updated errata packages contain a patch to correct this bug.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system. Sun RPC is a remote procedure call\nframework which allows clients to invoke procedures in a server process\nover a network. XDR is a mechanism for encoding data structures for use\nwith RPC. NFS, NIS, and other network services that are built upon Sun\nRPC. The glibc package contains an XDR encoder/decoder derived from Sun\u0027s\nRPC implementation which was recently demonstrated to be vulnerable to a\nheap overflow.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder can result in a heap buffer overflow in glibc 2.2.5 and\nearlier. Depending upon the application, this vulnerability may be\nexploitable and could lead to arbitrary code execution. (CAN-2002-0391)\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in the /etc/nsswitch.conf file includes the \"dns\"\nentry. By default, Red Hat Linux Advanced Server ships with \"networks\"\nset to \"files\" and is therefore not vulnerable to this issue.\n(CAN-2002-0684)\n\nA related issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc libraries and therefore are not vulnerable to these issues.\n\nThanks to Solar Designer for providing patches for this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:167",
"url": "https://access.redhat.com/errata/RHSA-2002:167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "http://online.securityfocus.com/archive/1/285308",
"url": "http://online.securityfocus.com/archive/1/285308"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "external",
"summary": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html",
"url": "http://sources.redhat.com/ml/libc-hacker/2002-08/msg00093.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_167.json"
}
],
"title": "Red Hat Security Advisory: glibc security update",
"tracking": {
"current_release_date": "2024-11-21T22:26:50+00:00",
"generator": {
"date": "2024-11-21T22:26:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:167",
"initial_release_date": "2002-08-06T07:25:00+00:00",
"revision_history": [
{
"date": "2002-08-06T07:25:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-08-01T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
}
],
"category": "product_family",
"name": "Red Hat Advanced Server"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-08-06T07:25:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network. To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:167"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2002:139
Vulnerability from csaf_redhat
Published
2002-07-25 02:15
Modified
2024-11-21 22:26
Summary
Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver
Notes
Topic
Updated glibc packages are available to fix two vulnerabilities in the
resolver functions.
Details
The glibc package contains standard libraries which are used by
multiple programs on the system.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the
"networks" database in /etc/nsswitch.conf includes the "dns" entry. By
default, Red Hat Linux ships with "networks" set to "files" and
is therefore not vulnerable to this issue. (CAN-2002-0684)
A second, related, issue is a bug in the glibc-compat packages, which
provide compatibility for applications compiled against glibc version
2.0.x. Applications compiled against this version (such as those
distributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also
be vulnerable to this issue. (CAN-2002-0651)
These errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium
architecture also include a fix for the strncpy implementation in some
boundary cases.
All users should upgrade to these errata packages which contain patches to
the glibc and glibc-compat libraries and therefore are not vulnerable to
these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages are available to fix two vulnerabilities in the\nresolver functions.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries which are used by\nmultiple programs on the system.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the\n\"networks\" database in /etc/nsswitch.conf includes the \"dns\" entry. By\ndefault, Red Hat Linux ships with \"networks\" set to \"files\" and\nis therefore not vulnerable to this issue. (CAN-2002-0684)\n\nA second, related, issue is a bug in the glibc-compat packages, which\nprovide compatibility for applications compiled against glibc version\n2.0.x. Applications compiled against this version (such as those\ndistributed with early Red Hat Linux releases 5.0, 5.1, and 5.2) could also\nbe vulnerable to this issue. (CAN-2002-0651)\n\nThese errata packages for Red Hat Linux 7.1 and 7.2 on the Itanium\narchitecture also include a fix for the strncpy implementation in some\nboundary cases.\n\nAll users should upgrade to these errata packages which contain patches to\nthe glibc and glibc-compat libraries and therefore are not vulnerable to\nthese issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:139",
"url": "https://access.redhat.com/errata/RHSA-2002:139"
},
{
"category": "external",
"summary": "http://www.cert.org/advisories/CA-2002-19.html",
"url": "http://www.cert.org/advisories/CA-2002-19.html"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_139.json"
}
],
"title": "Red Hat Security Advisory: : Updated glibc packages fix vulnerabilities in resolver",
"tracking": {
"current_release_date": "2024-11-21T22:26:48+00:00",
"generator": {
"date": "2024-11-21T22:26:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:139",
"initial_release_date": "2002-07-25T02:15:00+00:00",
"revision_history": [
{
"date": "2002-07-25T02:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-07-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:26:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0651",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616785"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0651"
},
{
"category": "external",
"summary": "RHBZ#1616785",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616785"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0651",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0651"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-07-25T02:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:139"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:212
Vulnerability from csaf_redhat
Published
2003-06-26 22:28
Modified
2024-11-21 22:38
Summary
Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities
Notes
Topic
Updated glibc packages that fix a number of vulnerabilites are now available.
Details
The glibc package contains standard libraries that are used by
multiple programs.
An integer overflow is present in the xdrmem_getbytes() function of glibc
2.3.1 and earlier. Depending upon the application, this vulnerability
could cause buffer overflows and may be exploitable, leading to arbitrary
code execution.
Red Hat would like to thank eEye Digital Security for alerting us to this
issue.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder in glibc 2.2.5 and earlier can result in a heap buffer
overflow. Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.
A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is triggered
by DNS packets larger than 1024 bytes and can cause applications to crash.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the "networks"
database in /etc/nsswitch.conf includes the "dns" entry. By default, Red
Hat Linux ships with "networks" set to "files" and is therefore not
vulnerable to this issue. (CAN-2002-0684)
All users should upgrade to these errata packages, which contain patches to
the glibc libraries and are therefore not vulnerable to these issues.
NOTE: Once the glibc upgrade has been completed, you must either reboot the
system or restart all programs on the system (for example, by using telinit
1 and then switching back to the original runlevel). Rebooting the system
or restarting the system programs is necessary to avoid vulnerable glibc
copies in memory. In addition, one cannot mix old NSS modules or libresolv
with upgraded NSS modules or libresolve in one running application.
Note also that, if sshd is running so that the other services can be
restarted remotely or for a remote reboot during an unattended glibc
upgrade, glibc will also restart sshd.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages that fix a number of vulnerabilites are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries that are used by\nmultiple programs.\n\nAn integer overflow is present in the xdrmem_getbytes() function of glibc\n2.3.1 and earlier. Depending upon the application, this vulnerability\ncould cause buffer overflows and may be exploitable, leading to arbitrary\ncode execution.\n\nRed Hat would like to thank eEye Digital Security for alerting us to this\nissue.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder in glibc 2.2.5 and earlier can result in a heap buffer\noverflow. Depending upon the application, this vulnerability may be\nexploitable and lead to arbitrary code execution.\n\nA read buffer overflow vulnerability exists in the glibc resolver code in\nversions of glibc up to and including 2.2.5. The vulnerability is triggered\nby DNS packets larger than 1024 bytes and can cause applications to crash.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the \"networks\"\ndatabase in /etc/nsswitch.conf includes the \"dns\" entry. By default, Red\nHat Linux ships with \"networks\" set to \"files\" and is therefore not\nvulnerable to this issue. (CAN-2002-0684)\n\nAll users should upgrade to these errata packages, which contain patches to\nthe glibc libraries and are therefore not vulnerable to these issues.\n\nNOTE: Once the glibc upgrade has been completed, you must either reboot the\nsystem or restart all programs on the system (for example, by using telinit\n1 and then switching back to the original runlevel). Rebooting the system\nor restarting the system programs is necessary to avoid vulnerable glibc\ncopies in memory. In addition, one cannot mix old NSS modules or libresolv\nwith upgraded NSS modules or libresolve in one running application.\n\nNote also that, if sshd is running so that the other services can be\nrestarted remotely or for a remote reboot during an unattended glibc\nupgrade, glibc will also restart sshd.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:212",
"url": "https://access.redhat.com/errata/RHSA-2003:212"
},
{
"category": "external",
"summary": "http://www.kb.cert.org/vuls/id/738331",
"url": "http://www.kb.cert.org/vuls/id/738331"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_212.json"
}
],
"title": "Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:38:54+00:00",
"generator": {
"date": "2024-11-21T22:38:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:212",
"initial_release_date": "2003-06-26T22:28:00+00:00",
"revision_history": [
{
"date": "2003-06-26T22:28:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-06-26T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:38:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1146",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616843"
}
],
"notes": [
{
"category": "description",
"text": "The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary (\"read buffer overflow\"), allowing remote attackers to cause a denial of service (crash).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1146"
},
{
"category": "external",
"summary": "RHBZ#1616843",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616843"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1146",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146"
}
],
"release_date": "2002-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0028",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616941"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0028"
},
{
"category": "external",
"summary": "RHBZ#1616941",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616941"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0028",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0028"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028"
}
],
"release_date": "2003-03-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "security flaw"
}
]
}
rhsa-2003_212
Vulnerability from csaf_redhat
Published
2003-06-26 22:28
Modified
2024-11-21 22:38
Summary
Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities
Notes
Topic
Updated glibc packages that fix a number of vulnerabilites are now available.
Details
The glibc package contains standard libraries that are used by
multiple programs.
An integer overflow is present in the xdrmem_getbytes() function of glibc
2.3.1 and earlier. Depending upon the application, this vulnerability
could cause buffer overflows and may be exploitable, leading to arbitrary
code execution.
Red Hat would like to thank eEye Digital Security for alerting us to this
issue.
An error in the calculation of memory needed for unpacking arrays in the
XDR decoder in glibc 2.2.5 and earlier can result in a heap buffer
overflow. Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.
A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is triggered
by DNS packets larger than 1024 bytes and can cause applications to crash.
A buffer overflow vulnerability has been found in the way the glibc
resolver handles the resolution of network names and addresses via DNS (as
per Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are
affected. A system would be vulnerable to this issue if the "networks"
database in /etc/nsswitch.conf includes the "dns" entry. By default, Red
Hat Linux ships with "networks" set to "files" and is therefore not
vulnerable to this issue. (CAN-2002-0684)
All users should upgrade to these errata packages, which contain patches to
the glibc libraries and are therefore not vulnerable to these issues.
NOTE: Once the glibc upgrade has been completed, you must either reboot the
system or restart all programs on the system (for example, by using telinit
1 and then switching back to the original runlevel). Rebooting the system
or restarting the system programs is necessary to avoid vulnerable glibc
copies in memory. In addition, one cannot mix old NSS modules or libresolv
with upgraded NSS modules or libresolve in one running application.
Note also that, if sshd is running so that the other services can be
restarted remotely or for a remote reboot during an unattended glibc
upgrade, glibc will also restart sshd.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated glibc packages that fix a number of vulnerabilites are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "The glibc package contains standard libraries that are used by\nmultiple programs.\n\nAn integer overflow is present in the xdrmem_getbytes() function of glibc\n2.3.1 and earlier. Depending upon the application, this vulnerability\ncould cause buffer overflows and may be exploitable, leading to arbitrary\ncode execution.\n\nRed Hat would like to thank eEye Digital Security for alerting us to this\nissue.\n\nAn error in the calculation of memory needed for unpacking arrays in the\nXDR decoder in glibc 2.2.5 and earlier can result in a heap buffer\noverflow. Depending upon the application, this vulnerability may be\nexploitable and lead to arbitrary code execution.\n\nA read buffer overflow vulnerability exists in the glibc resolver code in\nversions of glibc up to and including 2.2.5. The vulnerability is triggered\nby DNS packets larger than 1024 bytes and can cause applications to crash.\n\nA buffer overflow vulnerability has been found in the way the glibc\nresolver handles the resolution of network names and addresses via DNS (as\nper Internet RFC 1011). Version 2.2.5 of glibc and earlier versions are\naffected. A system would be vulnerable to this issue if the \"networks\"\ndatabase in /etc/nsswitch.conf includes the \"dns\" entry. By default, Red\nHat Linux ships with \"networks\" set to \"files\" and is therefore not\nvulnerable to this issue. (CAN-2002-0684)\n\nAll users should upgrade to these errata packages, which contain patches to\nthe glibc libraries and are therefore not vulnerable to these issues.\n\nNOTE: Once the glibc upgrade has been completed, you must either reboot the\nsystem or restart all programs on the system (for example, by using telinit\n1 and then switching back to the original runlevel). Rebooting the system\nor restarting the system programs is necessary to avoid vulnerable glibc\ncopies in memory. In addition, one cannot mix old NSS modules or libresolv\nwith upgraded NSS modules or libresolve in one running application.\n\nNote also that, if sshd is running so that the other services can be\nrestarted remotely or for a remote reboot during an unattended glibc\nupgrade, glibc will also restart sshd.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:212",
"url": "https://access.redhat.com/errata/RHSA-2003:212"
},
{
"category": "external",
"summary": "http://www.kb.cert.org/vuls/id/738331",
"url": "http://www.kb.cert.org/vuls/id/738331"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_212.json"
}
],
"title": "Red Hat Security Advisory: : : : Updated glibc packages fix vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:38:54+00:00",
"generator": {
"date": "2024-11-21T22:38:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:212",
"initial_release_date": "2003-06-26T22:28:00+00:00",
"revision_history": [
{
"date": "2003-06-26T22:28:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-06-26T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:38:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0391",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616771"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0391"
},
{
"category": "external",
"summary": "RHBZ#1616771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0391",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0391"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0391"
}
],
"release_date": "2002-07-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0684",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616795"
}
],
"notes": [
{
"category": "description",
"text": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0684"
},
{
"category": "external",
"summary": "RHBZ#1616795",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616795"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0684",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0684"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
}
],
"release_date": "2002-06-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-1146",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616843"
}
],
"notes": [
{
"category": "description",
"text": "The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary (\"read buffer overflow\"), allowing remote attackers to cause a denial of service (crash).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-1146"
},
{
"category": "external",
"summary": "RHBZ#1616843",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616843"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-1146",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-1146"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1146"
}
],
"release_date": "2002-10-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0028",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616941"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0028"
},
{
"category": "external",
"summary": "RHBZ#1616941",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616941"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0028",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0028"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0028"
}
],
"release_date": "2003-03-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-06-26T22:28:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:212"
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "security flaw"
}
]
}
ghsa-w4pr-xjh8-387g
Vulnerability from github
Published
2022-04-30 18:19
Modified
2022-04-30 18:19
Details
Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
{
"affected": [],
"aliases": [
"CVE-2002-0684"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-08-12T04:00:00Z",
"severity": "HIGH"
},
"details": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"id": "GHSA-w4pr-xjh8-387g",
"modified": "2022-04-30T18:19:44Z",
"published": "2022-04-30T18:19:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0684"
},
{
"type": "WEB",
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"type": "WEB",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
cve-2002-0684
Vulnerability from fkie_nvd
Published
2002-08-12 04:00
Modified
2024-11-20 23:39
Severity ?
Summary
Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5272D01-D7FC-41DA-B565-9054AA55FABD",
"versionEndIncluding": "2.2.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:isc:bind:4.9.8:*:*:*:*:*:*:*",
"matchCriteriaId": "0064E411-C26F-4831-B7C4-63E2E1EF98DF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr."
},
{
"lang": "es",
"value": "Desbordamiento de b\u00fafer en las funciones de resoluci\u00f3n de DNS que buscan nombres de red y direcciones, como en BIND 4.9.8 y glibc 2.2.5 y anteriores, permiten que servidores DNS remotos ejecuten c\u00f3digo arbitrario por medio de una subrutina usada por funciones tales como getnetbyname y getnetbyaddr."
}
],
"id": "CVE-2002-0684",
"lastModified": "2024-11-20T23:39:38.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2002-08-12T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
},
{
"source": "cve@mitre.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"source": "cve@mitre.org",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2002-0684
Vulnerability from gsd
Modified
2023-12-13 01:24
Details
Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2002-0684",
"description": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"id": "GSD-2002-0684",
"references": [
"https://access.redhat.com/errata/RHSA-2003:212",
"https://access.redhat.com/errata/RHSA-2002:167",
"https://access.redhat.com/errata/RHSA-2002:139"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2002-0684"
],
"details": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.",
"id": "GSD-2002-0684",
"modified": "2023-12-13T01:24:06.736898Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "MDKSA-2002:050",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"name": "CLSA-2002:507",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"name": "VU#542971",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"name": "20020704 Re: Remote buffer overflow in resolver code of libc",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
},
{
"name": "RHSA-2002:139",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:isc:bind:4.9.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.5",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0684"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2002:139",
"refsource": "REDHAT",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2002-139.html"
},
{
"name": "VU#542971",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/542971"
},
{
"name": "MDKSA-2002:050",
"refsource": "MANDRAKE",
"tags": [],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-050.php"
},
{
"name": "CLSA-2002:507",
"refsource": "CONECTIVA",
"tags": [],
"url": "http://distro.conectiva.com/atualizacoes/?id=a\u0026anuncio=000507"
},
{
"name": "20020704 Re: Remote buffer overflow in resolver code of libc",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://marc.info/?l=bugtraq\u0026m=102581482511612\u0026w=2"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2016-10-18T02:21Z",
"publishedDate": "2002-08-12T04:00Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.