MGASA-2024-0173 - Updated glibc packages fix security vulnerabilities

Publication date: 10 May 2024
URL: https://advisories.mageia.org/MGASA-2024-0173.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-33599,
     CVE-2024-33600,
     CVE-2024-33601,
     CVE-2024-33602

Stack-based buffer overflow in netgroup cache: If the Name Service Cache
Daemon's (nscd) fixed size cache is exhausted by client requests then a
subsequent client request for netgroup data may result in a stack-based
buffer overflow. (CVE-2024-33599)
Null pointer crashes after notfound response: If the Name Service Cache
Daemon's (nscd) cache fails to add a not-found netgroup response to the
cache, the client request can result in a null pointer dereference.
(CVE-2024-33600)
Netgroup cache may terminate daemon on memory allocation failure: The
Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or
xrealloc and these functions may terminate the process due to a memory
allocation failure resulting in a denial of service to the clients.
(CVE-2024-33601)
Netgroup cache assumes NSS callback uses in-buffer strings: The Name
Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the
NSS callback does not store all strings in the provided buffer.
(CVE-2024-33602)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33185
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602

SRPMS:
- 9/core/glibc-2.36-54.mga9

Mageia 2024-0173: glibc Security Advisory Updates

Stack-based buffer overflow in netgroup cache: If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgr...

Summary

Stack-based buffer overflow in netgroup cache: If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. (CVE-2024-33599) Null pointer crashes after notfound response: If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. (CVE-2024-33600) Netgroup cache may terminate daemon on memory allocation failure: The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. (CVE-2024-33601) Netgroup cache assumes NSS callback uses in-buffer strings: The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. (CVE-2024-33602)

References

- https://bugs.mageia.org/show_bug.cgi?id=33185

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33599

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33600

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33601

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33602

Resolution

MGASA-2024-0173 - Updated glibc packages fix security vulnerabilities

SRPMS

- 9/core/glibc-2.36-54.mga9

Severity
Publication date: 10 May 2024
URL: https://advisories.mageia.org/MGASA-2024-0173.html
Type: security
CVE: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved