StarlingX

  1. Bug #2038708
  2. Activity log

Activity log for bug #2038708

Date Who What changed Old value New value Message
2023-10-07 01:22:21 Yue Tao bug added bug
2023-10-07 01:24:07 Yue Tao cve linked 2023-4911
2023-10-07 06:22:41 Li Zhou starlingx: assignee Li Zhou (lzhou2)
2023-10-12 06:05:30 OpenStack Infra starlingx: status Triaged In Progress
2023-10-12 13:29:08 OpenStack Infra starlingx: status In Progress Fix Released
2023-10-23 03:13:22 Yue Tao description CVE-2023-4911: https://nvd.nist.gov/vuln/detail/CVE-2023-4911 A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. Base Score: High Reference: ['libc6_2.31-13+deb11u6_amd64.deb===>libc6_2.31-13+deb11u7_amd64.deb', 'libc6-dev_2.31-13+deb11u6_amd64.deb===>libc6-dev_2.31-13+deb11u7_amd64.deb', 'libc-bin_2.31-13+deb11u6_amd64.deb===>libc-bin_2.31-13+deb11u7_amd64.deb', 'libc-dev-bin_2.31-13+deb11u6_amd64.deb===>libc-dev-bin_2.31-13+deb11u7_amd64.deb', 'libc-l10n_2.31-13+deb11u6_all.deb===>libc-l10n_2.31-13+deb11u7_all.deb', 'locales_2.31-13+deb11u6_all.deb===>locales_2.31-13+deb11u7_all.deb', 'locales-all_2.31-13+deb11u6_amd64.deb===>locales-all_2.31-13+deb11u7_amd64.deb'] https://www.debian.org/security/2023/dsa-5514 https://www.tenable.com/plugins/nessus/182473 CVE-2023-4911: https://nvd.nist.gov/vuln/detail/CVE-2023-4911 A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. CVE-2023-4527: https://nvd.nist.gov/vuln/detail/CVE-2023-4527 A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash. Base Score: High Reference: ['libc6_2.31-13+deb11u6_amd64.deb===>libc6_2.31-13+deb11u7_amd64.deb', 'libc6-dev_2.31-13+deb11u6_amd64.deb===>libc6-dev_2.31-13+deb11u7_amd64.deb', 'libc-bin_2.31-13+deb11u6_amd64.deb===>libc-bin_2.31-13+deb11u7_amd64.deb', 'libc-dev-bin_2.31-13+deb11u6_amd64.deb===>libc-dev-bin_2.31-13+deb11u7_amd64.deb', 'libc-l10n_2.31-13+deb11u6_all.deb===>libc-l10n_2.31-13+deb11u7_all.deb', 'locales_2.31-13+deb11u6_all.deb===>locales_2.31-13+deb11u7_all.deb', 'locales-all_2.31-13+deb11u6_amd64.deb===>locales-all_2.31-13+deb11u7_amd64.deb'] https://www.debian.org/security/2023/dsa-5514 https://www.tenable.com/plugins/nessus/182473
2023-10-23 03:13:26 Yue Tao cve linked 2023-4527
2023-10-23 05:26:20 Yue Tao description CVE-2023-4911: https://nvd.nist.gov/vuln/detail/CVE-2023-4911 A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. CVE-2023-4527: https://nvd.nist.gov/vuln/detail/CVE-2023-4527 A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash. Base Score: High Reference: ['libc6_2.31-13+deb11u6_amd64.deb===>libc6_2.31-13+deb11u7_amd64.deb', 'libc6-dev_2.31-13+deb11u6_amd64.deb===>libc6-dev_2.31-13+deb11u7_amd64.deb', 'libc-bin_2.31-13+deb11u6_amd64.deb===>libc-bin_2.31-13+deb11u7_amd64.deb', 'libc-dev-bin_2.31-13+deb11u6_amd64.deb===>libc-dev-bin_2.31-13+deb11u7_amd64.deb', 'libc-l10n_2.31-13+deb11u6_all.deb===>libc-l10n_2.31-13+deb11u7_all.deb', 'locales_2.31-13+deb11u6_all.deb===>locales_2.31-13+deb11u7_all.deb', 'locales-all_2.31-13+deb11u6_amd64.deb===>locales-all_2.31-13+deb11u7_amd64.deb'] https://www.debian.org/security/2023/dsa-5514 https://www.tenable.com/plugins/nessus/182473 CVE-2023-4911: https://nvd.nist.gov/vuln/detail/CVE-2023-4911 A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. Base Score: High Reference: ['libc6_2.31-13+deb11u6_amd64.deb===>libc6_2.31-13+deb11u7_amd64.deb', 'libc6-dev_2.31-13+deb11u6_amd64.deb===>libc6-dev_2.31-13+deb11u7_amd64.deb', 'libc-bin_2.31-13+deb11u6_amd64.deb===>libc-bin_2.31-13+deb11u7_amd64.deb', 'libc-dev-bin_2.31-13+deb11u6_amd64.deb===>libc-dev-bin_2.31-13+deb11u7_amd64.deb', 'libc-l10n_2.31-13+deb11u6_all.deb===>libc-l10n_2.31-13+deb11u7_all.deb', 'locales_2.31-13+deb11u6_all.deb===>locales_2.31-13+deb11u7_all.deb', 'locales-all_2.31-13+deb11u6_amd64.deb===>locales-all_2.31-13+deb11u7_amd64.deb'] https://www.debian.org/security/2023/dsa-5514 https://www.tenable.com/plugins/nessus/182473
2023-10-23 05:26:38 Yue Tao cve unlinked 2023-4527