An update for glibc is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1691 Final 1.0 1.0 2024-06-07 Initial 2024-06-07 2024-06-07 openEuler SA Tool V1.0 2024-06-07 glibc security update An update for glibc is now available for openEuler-22.03-LTS-SP3. The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit and more. Security Fix(es): nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. (CVE-2024-33599) nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. (CVE-2024-33600) nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. (CVE-2024-33601) nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. (CVE-2024-33602) An update for glibc is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High glibc https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1691 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-33599 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-33600 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-33601 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-33602 https://nvd.nist.gov/vuln/detail/CVE-2024-33599 https://nvd.nist.gov/vuln/detail/CVE-2024-33600 https://nvd.nist.gov/vuln/detail/CVE-2024-33601 https://nvd.nist.gov/vuln/detail/CVE-2024-33602 openEuler-22.03-LTS-SP3 glibc-debugutils-2.34-150.oe2203sp3.aarch64.rpm glibc-locale-archive-2.34-150.oe2203sp3.aarch64.rpm glibc-debuginfo-2.34-150.oe2203sp3.aarch64.rpm glibc-locale-source-2.34-150.oe2203sp3.aarch64.rpm glibc-devel-2.34-150.oe2203sp3.aarch64.rpm glibc-compat-2.17-2.34-150.oe2203sp3.aarch64.rpm glibc-all-langpacks-2.34-150.oe2203sp3.aarch64.rpm libnsl-2.34-150.oe2203sp3.aarch64.rpm nss_modules-2.34-150.oe2203sp3.aarch64.rpm glibc-common-2.34-150.oe2203sp3.aarch64.rpm glibc-2.34-150.oe2203sp3.aarch64.rpm glibc-debugsource-2.34-150.oe2203sp3.aarch64.rpm nscd-2.34-150.oe2203sp3.aarch64.rpm glibc-nss-devel-2.34-150.oe2203sp3.aarch64.rpm glibc-help-2.34-150.oe2203sp3.noarch.rpm glibc-2.34-150.oe2203sp3.src.rpm libnsl-2.34-150.oe2203sp3.x86_64.rpm glibc-compat-2.17-2.34-150.oe2203sp3.x86_64.rpm glibc-common-2.34-150.oe2203sp3.x86_64.rpm glibc-all-langpacks-2.34-150.oe2203sp3.x86_64.rpm nss_modules-2.34-150.oe2203sp3.x86_64.rpm glibc-devel-2.34-150.oe2203sp3.x86_64.rpm glibc-locale-archive-2.34-150.oe2203sp3.x86_64.rpm glibc-locale-source-2.34-150.oe2203sp3.x86_64.rpm glibc-2.34-150.oe2203sp3.x86_64.rpm glibc-debugutils-2.34-150.oe2203sp3.x86_64.rpm glibc-debuginfo-2.34-150.oe2203sp3.x86_64.rpm nscd-2.34-150.oe2203sp3.x86_64.rpm glibc-nss-devel-2.34-150.oe2203sp3.x86_64.rpm glibc-debugsource-2.34-150.oe2203sp3.x86_64.rpm nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. 2024-06-07 CVE-2024-33599 openEuler-22.03-LTS-SP3 High 7.6 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H glibc security update 2024-06-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1691 nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. 2024-06-07 CVE-2024-33600 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H glibc security update 2024-06-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1691 nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. 2024-06-07 CVE-2024-33601 openEuler-22.03-LTS-SP3 Medium 6.2 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H glibc security update 2024-06-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1691 nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. 2024-06-07 CVE-2024-33602 openEuler-22.03-LTS-SP3 Medium 4.0 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L glibc security update 2024-06-07 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1691