store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Tue May 21, 2013 7:32 pm

View unanswered posts | View active topics


Board index » Customer Support Forums » Security Alerts

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
BruceLee
 Post subject: Multiple Vendors libc/glob(3) resource exhaustion
Unread postPosted: Thu Oct 07, 2010 6:19 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 802
Location: Germany
I don't exactly know if the centos/redhat GNU Libc (glibc) is also affected but since it seems pretty ugly I post it.
Maybe Atomicorp can verify it.
Thanks

http://securityreason.com/securityalert/7822
Top
 Profile  
 
mikeshinn
 Post subject: Re: Multiple Vendors libc/glob(3) resource exhaustion
Unread postPosted: Thu Oct 07, 2010 3:56 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3245
Location: Chantilly, VA
I dont see any alerts from Centos or Redhat for this:

https://www.redhat.com/security/data/cve/cve-2010.html

So far it does not appear to effect Linux in my testing. In proftp it will kick back a OOM, clean itself up and keep on trucking without hurting itself or the server either:

ftp> ls */../*/../*/../*/../*/../*/../*
227 Entering Passive Mode (127,0,0,1,148,53).
150 Opening BINARY mode data connection for file list
226-Out of memory during globbing of */../*/../*/../*/../*/../*/../*
226 Transfer complete
ftp> ls
227 Entering Passive Mode (127,0,0,1,223,203).
150 Opening BINARY mode data connection for file list
-rw------- 1 mshinn mshinn 390588 Apr 21 13:02 test_junk

The PHP test also fails to do anything bad on Linux.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
BruceLee
 Post subject: Re: Multiple Vendors libc/glob(3) resource exhaustion
Unread postPosted: Thu Oct 07, 2010 4:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 802
Location: Germany
Thank for the quick verification Mike. Great service like always.
Top
 Profile  
 
webfeatus
 Post subject: Re: Multiple Vendors libc/glob(3) resource exhaustion
Unread postPosted: Mon Oct 18, 2010 10:07 pm 
Offline
Forum Regular
Forum Regular
User avatar

Joined: Wed Jan 13, 2010 9:11 am
Posts: 180
Location: Bali
(worried)

Is it OK to run this update on Centos v5?
Anyone seen any problems?

Code:
Updating:
 glibc                                        i686                     2.5-49.el5_5.5                             updates                     5.3 M
 glibc-common                                 i386                     2.5-49.el5_5.5                             updates                      16 M
 glibc-devel                                  i386                     2.5-49.el5_5.5                             updates                     2.0 M
 glibc-headers                                i386                     2.5-49.el5_5.5                             updates                     602 k
 java-1.6.0-openjdk                           i386                     1:1.6.0.0-1.16.b17.el5                     updates                      37 M
 java-1.6.0-openjdk-devel                     i386                     1:1.6.0.0-1.16.b17.el5                     updates                      12 M
 logrotate                                    i386                     3.7.4-9.el5_5.1                            updates                      40 k
 nscd                                         i386                     2.5-49.el5_5.5                             updates                     165 k

_________________
They say that good intentions, pave the road to hell;
If a thing is not worth doing, it's not worth doing well.

Top
 Profile  
 
mikeshinn
 Post subject: Re: Multiple Vendors libc/glob(3) resource exhaustion
Unread postPosted: Tue Oct 19, 2010 10:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3245
Location: Chantilly, VA
glibc and nscd are fine, cant speak to java - dont use it.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 5 posts ] 

Board index » Customer Support Forums » Security Alerts

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group