diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 43 |
1 files changed, 38 insertions, 5 deletions
@@ -9,11 +9,12 @@ Version 2.19.1 * The following bugs are resolved with this release: - 15946, 16545, 16574, 16617, 16618, 16619, 16623, 16657, 16683, 16689, - 16695, 16701, 16706, 16707, 16739, 16740, 16743, 16815, 16878, 16882, - 16885, 16916, 16932, 16943, 16958, 17031, 17048, 17062, 17069, 17079, - 17137, 17153, 17187, 17213, 17263, 17269, 17325, 17555, 17625, 17630, - 18007, 18032, 18104, 18287. + 15946, 16009, 16545, 16574, 16617, 16618, 16619, 16623, 16657, 16683, + 16695, 16701, 16706, 16707, 16739, 16740, 16743, 16758, 16759, 16760, + 16815, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17031, 17048, + 17062, 17069, 17079, 17137, 17153, 17187, 17213, 17263, 17269, 17325, + 17555, 17625, 17630, 17905, 18007, 18032, 18080, 18104, 18240, 18287, + 18508, 18665, 18905, 18928, 19018, 19779, 19791, 19879, 20010, 20112. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a @@ -81,6 +82,38 @@ Version 2.19.1 the get*ent functions if any of the query functions for the same database are used during the iteration, causing a denial-of-service condition in some applications. + +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack + overflow (stack exhaustion) and a crash if getnetbyname is invoked + on a very long name. (CVE-2016-3075) + +* The glob function suffered from a stack-based buffer overflow when it was + called with the GLOB_ALTDIRFUNC flag and encountered a long file name. + Reported by Alexander Cherepanov. (CVE-2016-1234) + +* Previously, getaddrinfo copied large amounts of address data to the stack, + even after the fix for CVE-2013-4458 has been applied, potentially + resulting in a stack overflow. getaddrinfo now uses a heap allocation + instead. Reported by Michael Petlan. (CVE-2016-3706) + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + +* The Sun RPC UDP client could exhaust all available stack space when + flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez' + alloca plugin for GCC. (CVE-2016-4429) Version 2.19 |