Security update for glibc

Announcement ID:	SUSE-SU-2016:0471-1
Rating:	important
References:	bsc#950944 bsc#955647 bsc#956716 bsc#958315 bsc#961721 bsc#962736 bsc#962737 bsc#962738 bsc#962739
Cross-References:	CVE-2014-9761 CVE-2015-7547 CVE-2015-8776 CVE-2015-8777 CVE-2015-8778 CVE-2015-8779
CVSS scores:	CVE-2014-9761 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-7547 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves six vulnerabilities and has three security fixes can now be installed.

Description:

This update for glibc fixes the following security issues:

CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721)
CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID and set-group-ID programs (bsc#950944)
CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information (bsc#962736)
CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution (bsc#962737)
CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (bsc#962738)
CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (bsc#962739)

The following non-security bugs were fixed:

bsc#955647: Resource leak in resolver
bsc#956716: Don't do lock elision on an error checking mutex
bsc#958315: Reinitialize dl_load_write_lock on fork

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Desktop 12 SP1
zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-271=1
SUSE Linux Enterprise Software Development Kit 12 SP1
zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-271=1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-271=1
SUSE Linux Enterprise Server 12 SP1
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-271=1

Package List:

SUSE Linux Enterprise Desktop 12 SP1 (nosrc x86_64)
- glibc-2.19-35.1
SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
- glibc-debuginfo-32bit-2.19-35.1
- glibc-devel-32bit-2.19-35.1
- glibc-locale-32bit-2.19-35.1
- glibc-locale-debuginfo-2.19-35.1
- nscd-2.19-35.1
- nscd-debuginfo-2.19-35.1
- glibc-locale-debuginfo-32bit-2.19-35.1
- glibc-devel-2.19-35.1
- glibc-debuginfo-2.19-35.1
- glibc-devel-debuginfo-32bit-2.19-35.1
- glibc-locale-2.19-35.1
- glibc-32bit-2.19-35.1
- glibc-debugsource-2.19-35.1
- glibc-devel-debuginfo-2.19-35.1
SUSE Linux Enterprise Desktop 12 SP1 (noarch)
- glibc-i18ndata-2.19-35.1
SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
- glibc-devel-static-2.19-35.1
- glibc-debuginfo-2.19-35.1
- glibc-debugsource-2.19-35.1
SUSE Linux Enterprise Software Development Kit 12 SP1 (noarch)
- glibc-info-2.19-35.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1 (nosrc ppc64le x86_64)
- glibc-2.19-35.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
- glibc-profile-2.19-35.1
- glibc-locale-debuginfo-2.19-35.1
- nscd-2.19-35.1
- nscd-debuginfo-2.19-35.1
- glibc-devel-2.19-35.1
- glibc-debuginfo-2.19-35.1
- glibc-locale-2.19-35.1
- glibc-debugsource-2.19-35.1
- glibc-devel-debuginfo-2.19-35.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
- glibc-info-2.19-35.1
- glibc-i18ndata-2.19-35.1
- glibc-html-2.19-35.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
- glibc-profile-32bit-2.19-35.1
- glibc-debuginfo-32bit-2.19-35.1
- glibc-devel-32bit-2.19-35.1
- glibc-locale-32bit-2.19-35.1
- glibc-locale-debuginfo-32bit-2.19-35.1
- glibc-devel-debuginfo-32bit-2.19-35.1
- glibc-32bit-2.19-35.1
SUSE Linux Enterprise Server 12 SP1 (nosrc ppc64le s390x x86_64)
- glibc-2.19-35.1
SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
- glibc-profile-2.19-35.1
- glibc-locale-debuginfo-2.19-35.1
- nscd-2.19-35.1
- nscd-debuginfo-2.19-35.1
- glibc-devel-2.19-35.1
- glibc-debuginfo-2.19-35.1
- glibc-locale-2.19-35.1
- glibc-debugsource-2.19-35.1
- glibc-devel-debuginfo-2.19-35.1
SUSE Linux Enterprise Server 12 SP1 (noarch)
- glibc-info-2.19-35.1
- glibc-i18ndata-2.19-35.1
- glibc-html-2.19-35.1
SUSE Linux Enterprise Server 12 SP1 (s390x x86_64)
- glibc-profile-32bit-2.19-35.1
- glibc-debuginfo-32bit-2.19-35.1
- glibc-devel-32bit-2.19-35.1
- glibc-locale-32bit-2.19-35.1
- glibc-locale-debuginfo-32bit-2.19-35.1
- glibc-devel-debuginfo-32bit-2.19-35.1
- glibc-32bit-2.19-35.1

Security update for glibc

Description:

Patch Instructions:

Package List:

References: