A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.
Unitrends risk assessment: Severity High
Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR.
Fixed in CentOS6 update versions glibc-2.12-1.166.el6_7.7 and later.
To update to the new version of glibc with the fix, contact support for the EAPP-601 security update.
CentOS5 systems are not affected.