The Linux C library glibc was updated to fix critical security issues and several bugs: CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This specific issue did not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed by this update nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. Both of these were found by Tavis Ormandy and we thank him for finding and reporting those issues. SUSE Linux Enterprise Server 9 is not affected by the above problems, as its glibc does neither support LD_AUDIT nor the $ORIGIN expansion required by the first problem. On openSUSE 11.1, 11.2 and SUSE Linux Enterprise 10 Service Pack 3 and SUSE Linux Enterprise 11 GA also the following minor security issues were fixed: CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. This would require running the code on untrusted code which we did not consider likely. We thank Dan Rosenberg for reporting this problem. CVE-2010-0296: The addmntent function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent is run by a setuid mount binary that does not do extra input check, this would allow custom entries to be inserted in /etc/mtab. We thank Dan Rosenberg and Jeff Layton for reporting this problem. CVE-2008-1391: The strfmon function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon. We thank Maksymilian Arciemowicz for reporting this problem. CVE-2010-0015: Some setups include shadow information as so-called &qt adjunct passwd &qt table, mangling it with the rest of passwd columns instead of keeping it in the shadow table. Normally, Solaris will disclose this information only to clients bound to a privileged port, but when nscd is deployed on the client, getpwnam would disclose the password hashes to all users. New mode &qt adjunct as shadow &qt can now be enabled in /etc/default/nss that will move the password hashes from the world-readable passwd table to emulated shadow table . We thank Christoph Pleger for reporting this problem.