Stay Secure with the Latest Linux Advisories

security advisorysecurity issueFedora

Fedora 31: FEDORA-2020-1a3bdfde17 Moderate: glibc Setuid Issue

This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC` not ignored in setuid binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are long-standing bug where missing shared objects could cause crashes due to incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also causes. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-1a3bdfde17 2020-01-20 22:48:10.259348 --------------------------------------------------------------------------------Name : glibc Product : Fedora 31 Version : 2.30 Release : 10.fc31 URL : Summary : The GNU libc libraries Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. --------------------------------------------------------------------------------Update Information: This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC` not ignored in setuid binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are long-standing bug where missing shared objects could cause crashes due to incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also causes lazy binding failures in ELF constructors and destructors to result in process termination (the same effect that lazy binding failures have in other contexts), rather than leaving the process in an inconsistent state. Furthermore, various issues in the `utmp`/`utmpx` subsystem have been addressed. This update also includes various minor fixes from the glibc 2.30 upstream stable releasebranch. --------------------------------------------------------------------------------ChangeLog: * Fri Jan 17 2020 Florian Weimer - 2.30-10 - Fix dynamic loader crash after dlopen failure with NODELETE (#1395758) - Lazy binding failures during ELF constructors and destructors now always terminate the process. * Fri Jan 17 2020 Florian Weimer - 2.30-9 - Auto-sync with upstream branch release/2.30/master, commit 994e529a37953a057b9e6c80afa03b03fd3724f2: - Remove incorrect alloc_size attribute from pvalloc (swbz#25401) - login: Use pread64 in utmp implementation - Add nocancel version of pread64() - login: Introduce matches_last_entry to utmp processing - login: Acquire write lock early in pututline (swbz#24882) - login: Add nonstring attributes to struct utmp, struct utmpx (swbz#24899) - login: Remove double-assignment of fl.l_whence in try_file_lock - login: pututxline could fail to overwrite existing entries (swbz#24902) - login: Use struct flock64 in utmp (swbz#24880) - login: Disarm timer after utmp lock acquisition (swbz#24879) - login: Fix updwtmp, updwtmx unlocking - login: Replace macro-based control flow with function calls in utmp - login: Assume that _HAVE_UT_* constants are true - login: Remove utmp backend jump tables (swbz#23518) - misc/test-errno-linux: Handle EINVAL from quotactl - : Define __CORRECT_ISO_CPP_STRING_H_PROTO for Clang (swbz#25232) - x86: Assume --enable-cet if GCC defaults to CET (swbz#25225) - libio: Disable vtable validation for pre-2.1 interposed handles (swbz#25203) - S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. (swbz#25226) - rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) (#1774682) - Don't use a custom wrapper macro around __has_include (swbz#25189) * Wed Dec 4 2019 Arjun Shankar - 2.30-8 - Rebuild to fix corrupt annobin data in crti.o and crtn.o [BZ# 1779399] * Tue Nov 19 2019 Arjun Shankar - 2.30-7 - Auto-sync with upstream branchrelease/2.30/master, commit 919af705eef416f4469341dfdf4ca23450f30236: - Update Alpha libm-test-ulps - hppa: Update libm-tests-ulps - alpha: force old OSF1 syscalls for getegid, geteuid and getppid [BZ #24986] - Fix RISC-V vfork build with Linux 5.3 kernel headers. - S390: Add new s390 platform z15. - Make tst-strftime2 and tst-strftime3 depend on locale generation - mips: Force RWX stack for hard-float builds that can run on pre-4.8 kernels - malloc: Fix missing accounting of top chunk in malloc_info [BZ #24026] - Add glibc.malloc.mxfast tunable - malloc: Various cleanups for malloc/tst-mxfast - Base max_fast on alignment, not width, of bins (Bug 24903) * Mon Sep 30 2019 Florian Weimer - 2.30-6 - Set the expects flags to clock_nanosleep (#1473680) --------------------------------------------------------------------------------References: [ 1 ] Bug #1395758 - glibc: incomplete rollback of dynamic linker state on linking failure https://bugzilla.redhat.com/show_bug.cgi?id=1395758 [ 2 ] Bug #1774682 - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1774682 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-1a3bdfde17' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . Addressed a small security concern in glibc impacting process shutdown and setuid executables in Fedora 31.. glibc Update,Fedora 31,security update,process issues,minor security fix. . LinuxSecurity.com Team

Jan 20, 2020 Fedora