Detections
Analytics
OracleVM 3.3 : glibc (OVMSA-2014-0017)
high Nessus Plugin ID 79539
Language:
Synopsis
The remote OracleVM host is missing one or more security updates.Description
The remote OracleVM system is missing necessary patches to address critical security updates :- Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475,
- Don't use alloca in addgetnetgrentX (#1087789).
- Adjust pointers to triplets in netgroup query data (#1087789).
- Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (#1098050).
- Fix race in free of fastbin chunk (#1091162).
- Revert the addition of gettimeofday vDSO function for ppc and ppc64 until OPD VDSO function call issues are resolved (#1026533).
- Call gethostbyname4_r only for PF_UNSPEC (#1022022).
- Fix integer overflows in *valloc and memalign.
(#1008310).
- Initialize res_hconf in nscd (#970090).
- Update previous patch for dcigettext.c and loadmsgcat.c (#834386).
- Save search paths before performing relro protection (#988931).
- Correctly name the 240-bit slow path sytemtap probe slowpow_p10 for slowpow (#905575).
- Align value of stacksize in nptl-init (#663641).
- Renamed release engineering directory from 'fedora' to `releng' (#903754).
- Backport GLIBC sched_getcpu and gettimeofday vDSO functions for ppc (#929302).
- Fall back to local DNS if resolv.conf does not define nameservers (#928318).
- Add systemtap probes to slowexp and slowpow (#905575).
- Fix getaddrinfo stack overflow resulting in application crash (CVE-2013-1914, #951213).
- Fix multibyte character processing crash in regexp (CVE-2013-0242, #951213).
- Add netgroup cache support for nscd (#629823).
- Fix multiple nss_compat initgroups bugs (#966778).
- Don't use simple lookup for AF_INET when AI_CANONNAME is set (#863384).
- Add MAP_HUGETLB and MAP_STACK support (#916986).
- Update translation for stale file handle error (#970776).
- Improve performance of _SC_NPROCESSORS_ONLN (#rh952422).
- Fix up _init in pt-initfini to accept arguments (#663641).
- Set reasonable limits on xdr requests to prevent memory leaks (#848748).
- Fix mutex locking for PI mutexes on spurious wake-ups on pthread condvars (#552960).
- New environment variable GLIBC_PTHREAD_STACKSIZE to set thread stack size (#663641).
- Improved handling of recursive calls in backtrace (#868808).
- The ttyname and ttyname_r functions on Linux now fall back to searching for the tty file descriptor in /dev/pts or /dev if /proc is not available. This allows creation of chroots without the procfs mounted on /proc.
(#851470)
- Don't free rpath strings allocated during startup until after ld.so is re-relocated. (#862094)
- Consistantly MANGLE/DEMANGLE function pointers. Fix use after free in dcigettext.c (#834386).
- Change rounding mode only when necessary (#966775).
- Backport of code to allow incremental loading of library list (#886968).
- Fix loading of audit libraries when TLS is in use (#919562)
- Fix application of SIMD FP exception mask (#929388).
Solution
Update the affected glibc / glibc-common / nscd packages.See Also
Plugin Details
Severity: High
ID: 79539
File Name: oraclevm_OVMSA-2014-0017.nasl
Version: 1.9
Type: local
Family: OracleVM Local Security Checks
Published: 11/26/2014
Updated: 1/4/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.8
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:oracle:vm:glibc, p-cpe:/a:oracle:vm:glibc-common, p-cpe:/a:oracle:vm:nscd, cpe:/o:oracle:vm_server:3.3
Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 9/3/2014
Vulnerability Publication Date: 2/8/2013
Reference Information
CVE: CVE-2013-0242, CVE-2013-1914, CVE-2014-0475, CVE-2014-5119