Security update for glibc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:2185-1 Final 1 1 2018-08-03T13:49:12Z current 2018-08-03T13:49:12Z 2018-08-03T13:49:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for glibc This update for glibc fixes the following issues: Security issues fixed: - CVE-2017-15804: Fix buffer overflow during unescaping of user names in the glob function in glob.c (bsc#1064580). - CVE-2017-15670: Fix buffer overflow in glob with GLOB_TILDE (bsc#1064583). - CVE-2017-15671: Fix memory leak in glob with GLOB_TILDE (bsc#1064569). - CVE-2018-11236: Fix 32bit arch integer overflow in stdlib/canonicalize.c when processing very long pathname arguments (bsc#1094161). - CVE-2017-12132: Reduce advertised EDNS0 buffer size to guard against fragmentation attacks (bsc#1051791). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-SP1-2018-1482,SUSE-SLE-SERVER-12-SP1-2018-1482 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ Link for SUSE-SU-2018:2185-1 https://lists.suse.com/pipermail/sle-security-updates/2018-August/004371.html E-Mail link for SUSE-SU-2018:2185-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1051791 SUSE Bug 1051791 https://bugzilla.suse.com/1064569 SUSE Bug 1064569 https://bugzilla.suse.com/1064580 SUSE Bug 1064580 https://bugzilla.suse.com/1064583 SUSE Bug 1064583 https://bugzilla.suse.com/1094161 SUSE Bug 1094161 https://www.suse.com/security/cve/CVE-2017-12132/ SUSE CVE CVE-2017-12132 page https://www.suse.com/security/cve/CVE-2017-15670/ SUSE CVE CVE-2017-15670 page https://www.suse.com/security/cve/CVE-2017-15671/ SUSE CVE CVE-2017-15671 page https://www.suse.com/security/cve/CVE-2017-15804/ SUSE CVE CVE-2017-15804 page https://www.suse.com/security/cve/CVE-2018-11236/ SUSE CVE CVE-2018-11236 page SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-2.19-40.16.950 glibc-32bit-2.19-40.16.950 glibc-devel-2.19-40.16.950 glibc-devel-32bit-2.19-40.16.950 glibc-html-2.19-40.16.950 glibc-i18ndata-2.19-40.16.950 glibc-info-2.19-40.16.950 glibc-locale-2.19-40.16.950 glibc-locale-32bit-2.19-40.16.950 glibc-profile-2.19-40.16.950 glibc-profile-32bit-2.19-40.16.950 nscd-2.19-40.16.950 glibc-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-devel-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-devel-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-html-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-i18ndata-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-info-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-locale-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-locale-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-profile-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-profile-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS nscd-2.19-40.16.950 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS glibc-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-devel-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-devel-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-html-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-i18ndata-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-info-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-locale-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-locale-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-profile-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 glibc-profile-32bit-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 nscd-2.19-40.16.950 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. CVE-2017-12132 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:nscd-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:nscd-2.19-40.16.950 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ https://www.suse.com/security/cve/CVE-2017-12132.html CVE-2017-12132 https://bugzilla.suse.com/1051791 SUSE Bug 1051791 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. CVE-2017-15670 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:nscd-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:nscd-2.19-40.16.950 important 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ https://www.suse.com/security/cve/CVE-2017-15670.html CVE-2017-15670 https://bugzilla.suse.com/1064583 SUSE Bug 1064583 https://bugzilla.suse.com/1110160 SUSE Bug 1110160 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). CVE-2017-15671 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:nscd-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:nscd-2.19-40.16.950 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ https://www.suse.com/security/cve/CVE-2017-15671.html CVE-2017-15671 https://bugzilla.suse.com/1064569 SUSE Bug 1064569 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. CVE-2017-15804 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:nscd-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:nscd-2.19-40.16.950 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ https://www.suse.com/security/cve/CVE-2017-15804.html CVE-2017-15804 https://bugzilla.suse.com/1064580 SUSE Bug 1064580 https://bugzilla.suse.com/1110160 SUSE Bug 1110160 https://bugzilla.suse.com/1123874 SUSE Bug 1123874 stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. CVE-2018-11236 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server 12 SP1-LTSS:nscd-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-devel-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-html-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-i18ndata-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-info-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-locale-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:glibc-profile-32bit-2.19-40.16.950 SUSE Linux Enterprise Server for SAP Applications 12 SP1:nscd-2.19-40.16.950 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20182185-1/ https://www.suse.com/security/cve/CVE-2018-11236.html CVE-2018-11236 https://bugzilla.suse.com/1094161 SUSE Bug 1094161 https://bugzilla.suse.com/1110160 SUSE Bug 1110160 https://bugzilla.suse.com/1118435 SUSE Bug 1118435 https://bugzilla.suse.com/1123874 SUSE Bug 1123874