Updated glibc packages fix vulnerabilities in RPC XDR decoder

Updated glibc packages are available to fix an integer overflow in the XDR
decoder.

The glibc package contains standard libraries that are used by
multiple programs on the system. Sun RPC is a remote procedure call
framework that allows clients to invoke procedures in a server process
over a network. XDR is a mechanism for encoding data structures for use
with RPC. Glibc contains an XDR encoder/decoder derived from Sun's RPC
implementation, which was demonstrated to be vulnerable to an integer
overflow.

An integer overflow is present in the xdrmem_getbytes() function of glibc
2.3.1 and earlier. Depending upon the application, this vulnerability
could cause buffer overflows and may be exploitable leading to arbitrary
code execution.

All users should upgrade to these errata packages which contain patches to
the glibc libraries and therefore are not vulnerable to these issues.

Red Hat would like to thank eEye Digital Security for alerting us to this
issue.

The Red Hat Linux 8.0 errata packages also contain a number of bug fixes
that are not security related. For details, see the list of bugzilla bugs
fixed by this errata or the ChangeLog.

[Updated 9 April 2003]
Some bugs newly introduced by the Red Hat Linux 8.0 errata packages
has been discovered, such as wine problems or problems with debugging
threaded applications.

Once the glibc upgrade has been completed, you must either reboot the
system or restart all programs on the system (for example, by using telinit
1 and switching back to the old runlevel). Rebooting the system or
restarting the system programs is necessary to avoid vulnerable glibc
copies in memory and because changes in NSS internal interfaces which mean
that one cannot mix old NSS modules or libresolv in an application with
upgraded NSS modules or libresolv in one running application.

If sshd is running so that the other services can be restarted remotely or
for a remote reboot during an unattended glibc upgrade, glibc will also
restart sshd.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

76531 - /etc/group breaks when lines longer than 671 characters
77467 - upgrade to RH 8.0 glibc breaks mysql remote connections
81901 - character limit on any line in /etc/group - not to exceed 860
82565 - Commands that access group names fails when NIS group is large
82619 - maximum number of users in group
82645 - SEGV in __res_nquery (/lib/libresolv.so.2)
82662 - regex library handle initialized values and crashes
86339 - Update to glibc-2.3.2-4.80 breaks SSH
86359 - /lib/i686 no longer used?
86465 - Undefined __ctype_b using glibc with ncurses
86468 - crossover 1.2 does not work since export LD_ASSUME_KERNEL=2.2.5 workaround in glibc is missing. update 8.0 glibc
86534 - RedHat's glibc-2.3.2 and Samba -> assert_uid() failures?
87656 - LTC2324-Thread improperly loses lock on mutex when thread is cancelled.
88052 - register_printf_function() forgets to clear table
88056 - double free() from iofclose() on libio/tst-fopenloc
88093 - setcontext() is not signal safe
88099 - buffer underrun in read_input_file/gencat.c
88101 - using uninitialized local variable in math/test-tgmath
88104 - uinitialized variable used for __ieee754_gammal_r(NaN,)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0028

integer, overflow, RPC, sun, XDR