Debian Security Advisory DSA 2976-1 (eglibc - Security Update) Network Vulnerability

Summary

Stephane Chazelas discovered that the GNU C library, glibc, processed '..' path segments in locale-related environment variables, possibly allowing attackers to circumvent intended restrictions, such as ForceCommand in OpenSSH, assuming that they can supply crafted locale settings.

Solution

For the stable distribution (wheezy), this problem has been fixed in version 2.13-38+deb7u3. This update also includes changes previously scheduled for the next wheezy point release as version 2.13-38+deb7u2. See the Debian changelog for details. We recommend that you upgrade your eglibc packages.

Affected

eglibc on Debian Linux

Detection

This check tests the installed software version using the apt package manager.

References

http://www.debian.org/security/2014/dsa-2976.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-0475

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 1090-1 (spamassassin)
Debian Security Advisory DSA 1116-1 (gimp)
Debian Security Advisory DSA 1081-1 (libextractor)
Debian Security Advisory DSA 1014-1 (firebird2)
Debian Security Advisory DSA 1135-1 (libtunepimp)

Debian Security Advisory DSA 2976-1 (eglibc - security update)

Take action and discover your vulnerabilities