Commit Message
On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
>
>> The NEWS section for security-related changes in 2.26 seems very
>> incomplete, with only a single entry. It clearly needs to be filled out.
>> If people know of other significant changes missing from the main NEWS
>> section for 2.26, they should add those as well.
>
> Reminder: the security-related section is still almost empty. This needs
> to be fixed before the release.
This is what I've come up with based on bugzilla. I'll commit this
before release if it looks OK.
Siddhesh
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
Comments
On 07/31/2017 02:13 PM, Siddhesh Poyarekar wrote:
> On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
>> On Mon, 3 Jul 2017, Joseph Myers wrote:
>>
>>> The NEWS section for security-related changes in 2.26 seems very
>>> incomplete, with only a single entry. It clearly needs to be filled out.
>>> If people know of other significant changes missing from the main NEWS
>>> section for 2.26, they should add those as well.
>>
>> Reminder: the security-related section is still almost empty. This needs
>> to be fixed before the release.
>
> This is what I've come up with based on bugzilla. I'll commit this
> before release if it looks OK.
Also missing:
* A use-after-free vulnerability in clntudp_call in the Sun RPC system
has been fixed.
Thanks,
Florian
On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
> has been fixed.
Is there a CVE number for this or just a preventive fix you put in?
Siddhesh
On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>> has been fixed.
>
> Is there a CVE number for this or just a preventive fix you put in?
There will be a CVE number, but I haven't got one yet, sorry.
Florian
* Florian Weimer:
> On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
>> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>>> has been fixed.
>>
>> Is there a CVE number for this or just a preventive fix you put in?
>
> There will be a CVE number, but I haven't got one yet, sorry.
We have CVE assignments now:
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12132
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12133
@@ -196,6 +196,13 @@ Security related changes:
* The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
to avoid fragmentation-based spoofing attacks.
+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+ mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+ called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+ (CVE-2010-3192).