Bug 910599 (CVE-2014-9402) - VUL-0: CVE-2014-9402: glibc: denial of service in getnetbyname function
Summary: VUL-0: CVE-2014-9402: glibc: denial of service in getnetbyname function
Status: RESOLVED FIXED
: 922948 (view as bug list)
Alias: CVE-2014-9402
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Andreas Schwab
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111679/
Whiteboard: maint:running:60374:moderate maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-18 08:04 UTC by Alexander Bergmann
Modified: 2015-07-07 08:00 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-18 08:04:35 UTC 
rh#1175369

It was reported [1] that getnetbyname function in glibc 2.21 in earlier will enter an infinite loop if the DNS backend is activated in the system Name Service Switch configuration, and the DNS resolver receives a positive answer while processing the network name.

Upstream commit that fixes this issue:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=11e3417af6e354f1942c68a271ae51e892b2814d

[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=17630

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1175369
Comment 1 Alexander Bergmann 2014-12-18 08:05:18 UTC 
CVE-2014-9402 was assigned to this issue.
Comment 2 Swamp Workflow Management 2014-12-18 23:00:33 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2015-01-23 07:24:47 UTC 
can we also include this in the current update?
Comment 8 Swamp Workflow Management 2015-02-23 14:05:16 UTC 
openSUSE-SU-2015:0351-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 906371,910599,915526,916222
CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.5.1, glibc-testsuite-2.19-16.5.2, glibc-utils-2.19-16.5.1
openSUSE 13.1 (src):    glibc-2.18-4.25.1, glibc-testsuite-2.18-4.25.2, glibc-utils-2.18-4.25.1
Comment 12 Swamp Workflow Management 2015-03-18 17:06:51 UTC 
SUSE-SU-2015:0526-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 864081,905313,906371,909053,910599,915526,915985,916222
CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    glibc-2.19-20.3
SUSE Linux Enterprise Server 12 (src):    glibc-2.19-20.3
SUSE Linux Enterprise Desktop 12 (src):    glibc-2.19-20.3
Comment 13 Marcus Meissner 2015-03-19 16:29:01 UTC 
released all of them now
Comment 14 Swamp Workflow Management 2015-03-19 23:05:40 UTC 
SUSE-SU-2015:0550-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 887022,906371,910599,916222,918233
CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    glibc-2.4-31.117.1
Comment 15 Swamp Workflow Management 2015-03-19 23:06:43 UTC 
SUSE-SU-2015:0551-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 887022,906371,910599,915526,916222,918233
CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    glibc-2.11.3-17.45.59.1
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    glibc-2.11.1-0.64.1
Comment 16 Leonardo Chiquitto 2015-03-27 15:30:36 UTC 
*** Bug 922948 has been marked as a duplicate of this bug. ***
Comment 17 Bernhard Wiedemann 2015-07-07 08:00:45 UTC 
This is an autogenerated message for OBS integration:
This bug (910599) was mentioned in
https://build.opensuse.org/request/show/315336 42 / glibc