Yellow Dog Linux Security Announcement
--------------------------------------

Package:	glibc
Issue Date: 	December 27, 2002	
Priority:	medium
Advisory ID: 	YDU-20021227-1


1. 	Topic:

	Updated glibc packages are available.


2. 	Problem:

	"Updated glibc packages are available to fix a buffer overflow in the
	resolver.

	The GNU C library package, glibc, contains standard libraries used by
	multiple programs on the system.

	A read buffer overflow vulnerability exists in the glibc resolver code in
	versions of glibc up to and including 2.2.5. The vulnerability is
	triggered by DNS packets larger than 1024 bytes and can cause applications
	to crash.

	All [Yellow Dog] Linux users are advised to upgrade to these errata packages
	which contain a patch to correct this vulnerability.

	This errata has been updated to work with programs querying DNS from
	extremely small stack sizes, such as MySQL."
	(from Red Hat advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install glibc

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/glibc-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-common-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-debug-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-debug-static-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-devel-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-profile-2.2.5-42.2.3a.ppc.rpm
			ppc/glibc-utils-2.2.5-42.2.3a.ppc.rpm
			ppc/nscd-2.2.5-42.2.3a.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
9f081ba5d1f51734b383c151b00ad380  ppc/glibc-2.2.5-42.2.3a.ppc.rpm
10eece6b1bc2c614ffd3b22c9c1020a9  ppc/glibc-common-2.2.5-42.2.3a.ppc.rpm
3cdd77c0a0f92c69db7dd2803c4ea3c3  ppc/glibc-debug-2.2.5-42.2.3a.ppc.rpm
32f6fbe1030e80a9ad5461766b34adad  ppc/glibc-debug-static-2.2.5-42.2.3a.ppc.rpm
392121e531c9e4e8db378464d13dcb9b  ppc/glibc-devel-2.2.5-42.2.3a.ppc.rpm
01fe186ec9a3fd46c76725594a0c126f  ppc/glibc-profile-2.2.5-42.2.3a.ppc.rpm
a7cd4e5d5abfeba5630c08bb72ce10b1  ppc/glibc-utils-2.2.5-42.2.3a.ppc.rpm
ffec5f87c8571776c90e7d84822c468b  ppc/nscd-2.2.5-42.2.3a.ppc.rpm
0146b6b63505bab4ad1ea4f99042ce90  SRPMS/glibc-2.2.5-42.2.3a.src.rpm


I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml