Number: AV16-031
Date: 18 February 2016
Purpose
The purpose of this advisory is to bring attention to a vulnerability discovered in the glibc library of code, a key component of most Linux distributions.
Assessment
GNU C Library (glibc) is a collection of open source code that powers standalone applications and most Linux distributions.
The vulnerability in glibc relates to a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function, which is responsible for performing domain-name lookups, is used.
Affected Software: All versions of glibc Version 2.9 to 2.22 are vulnerable.
CVE Reference: CVE-2015-7547
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References:
https://www.kb.cert.org/vuls/id/457759
https://www.us-cert.gov/ncas/current-activity/2016/02/17/GNU-glibc-Vulnerability
https://rhn.redhat.com/errata/RHSA-2016-0175.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
http://www.zdnet.com/article/patch-linux-now-google-red-hat-warn-over-critical-glibc-bug/
https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/