Updating NEWS for 2.26

Message ID	a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org
State	New, archived
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org Subject: Re: Updating NEWS for 2.26 To: Joseph Myers <joseph@codesourcery.com>, libc-alpha@sourceware.org References: <alpine.DEB.2.20.1707031405010.28799@digraph.polyomino.org.uk> <alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk> From: Siddhesh Poyarekar <siddhesh@gotplt.org> Message-ID: <a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org> Date: Mon, 31 Jul 2017 17:43:30 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit

Message ID

a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org

State

New, archived

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
Subject: Re: Updating NEWS for 2.26
To: Joseph Myers <joseph@codesourcery.com>, libc-alpha@sourceware.org
References: <alpine.DEB.2.20.1707031405010.28799@digraph.polyomino.org.uk>
	<alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk>
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
Message-ID: <a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org>
Date: Mon, 31 Jul 2017 17:43:30 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Commit Message

Siddhesh Poyarekar July 31, 2017, 12:13 p.m. UTC

  On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
> 
>> The NEWS section for security-related changes in 2.26 seems very 
>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>> If people know of other significant changes missing from the main NEWS 
>> section for 2.26, they should add those as well.
> 
> Reminder: the security-related section is still almost empty.  This needs 
> to be fixed before the release.

This is what I've come up with based on bugzilla.  I'll commit this
before release if it looks OK.

Siddhesh


+
 The following bugs are resolved with this release:

   [The release manager will add the list generated by

Comments

Florian Weimer Aug. 1, 2017, 8:46 a.m. UTC | #1

On 07/31/2017 02:13 PM, Siddhesh Poyarekar wrote:
> On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
>> On Mon, 3 Jul 2017, Joseph Myers wrote:
>>
>>> The NEWS section for security-related changes in 2.26 seems very 
>>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>>> If people know of other significant changes missing from the main NEWS 
>>> section for 2.26, they should add those as well.
>>
>> Reminder: the security-related section is still almost empty.  This needs 
>> to be fixed before the release.
> 
> This is what I've come up with based on bugzilla.  I'll commit this
> before release if it looks OK.

Also missing:

* A use-after-free vulnerability in clntudp_call in the Sun RPC system
has been fixed.

Thanks,
Florian

Siddhesh Poyarekar Aug. 1, 2017, 9:20 a.m. UTC | #2

On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
> has been fixed.

Is there a CVE number for this or just a preventive fix you put in?

Siddhesh

Florian Weimer Aug. 1, 2017, 9:21 a.m. UTC | #3

On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>> has been fixed.
> 
> Is there a CVE number for this or just a preventive fix you put in?

There will be a CVE number, but I haven't got one yet, sorry.

Florian

Florian Weimer Aug. 1, 2017, 9:16 p.m. UTC | #4

* Florian Weimer:

> On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
>> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>>> has been fixed.
>> 
>> Is there a CVE number for this or just a preventive fix you put in?
>
> There will be a CVE number, but I haven't got one yet, sorry.

We have CVE assignments now:

https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12132
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12133

diff mbox

Patch

diff --git a/NEWS b/NEWS
index ab0fb54..e068557 100644
--- a/NEWS
+++ b/NEWS
@@ -196,6 +196,13 @@  Security related changes:
 * The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
   to avoid fragmentation-based spoofing attacks.

+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+  mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+  called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+  (CVE-2010-3192).