diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 25 |
1 files changed, 23 insertions, 2 deletions
@@ -9,8 +9,25 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625, - 17630, 17801, 18007, 18287. + 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, + 17625, 17630, 17801, 18007, 18032, 18287, 18665, 18694, 18928, 19018. + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) + +* The LD_POINTER_GUARD environment variable can no longer be used to + disable the pointer guard feature. It is always enabled. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a @@ -51,6 +68,10 @@ Version 2.20.1 * CVE-2014-9402 The nss_dns implementation of getnetbyname could run into an infinite loopif the DNS response contained a PTR record of an unexpected format. + +* The 32-bit sparc sigaction ABI was inadvertently broken in the 2.20 release. + It has been fixed to match 2.19 and older, but binaries built against 2.20 + might need to be recompiled. See BZ#18694. Version 2.20 |