diff mbox

Updating NEWS for 2.26

Message ID a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org
State New, archived
Headers show

Commit Message

Siddhesh Poyarekar July 31, 2017, 12:13 p.m. UTC
On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
> 
>> The NEWS section for security-related changes in 2.26 seems very 
>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>> If people know of other significant changes missing from the main NEWS 
>> section for 2.26, they should add those as well.
> 
> Reminder: the security-related section is still almost empty.  This needs 
> to be fixed before the release.

This is what I've come up with based on bugzilla.  I'll commit this
before release if it looks OK.

Siddhesh


+
 The following bugs are resolved with this release:

   [The release manager will add the list generated by

Comments

Florian Weimer Aug. 1, 2017, 8:46 a.m. UTC | #1
On 07/31/2017 02:13 PM, Siddhesh Poyarekar wrote:
> On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
>> On Mon, 3 Jul 2017, Joseph Myers wrote:
>>
>>> The NEWS section for security-related changes in 2.26 seems very 
>>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>>> If people know of other significant changes missing from the main NEWS 
>>> section for 2.26, they should add those as well.
>>
>> Reminder: the security-related section is still almost empty.  This needs 
>> to be fixed before the release.
> 
> This is what I've come up with based on bugzilla.  I'll commit this
> before release if it looks OK.

Also missing:

* A use-after-free vulnerability in clntudp_call in the Sun RPC system
has been fixed.

Thanks,
Florian
Siddhesh Poyarekar Aug. 1, 2017, 9:20 a.m. UTC | #2
On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
> has been fixed.

Is there a CVE number for this or just a preventive fix you put in?

Siddhesh
Florian Weimer Aug. 1, 2017, 9:21 a.m. UTC | #3
On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>> has been fixed.
> 
> Is there a CVE number for this or just a preventive fix you put in?

There will be a CVE number, but I haven't got one yet, sorry.

Florian
Florian Weimer Aug. 1, 2017, 9:16 p.m. UTC | #4
* Florian Weimer:

> On 08/01/2017 11:20 AM, Siddhesh Poyarekar wrote:
>> On Tuesday 01 August 2017 02:16 PM, Florian Weimer wrote:
>>> * A use-after-free vulnerability in clntudp_call in the Sun RPC system
>>> has been fixed.
>> 
>> Is there a CVE number for this or just a preventive fix you put in?
>
> There will be a CVE number, but I haven't got one yet, sorry.

We have CVE assignments now:

https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12132
https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2017-12133
diff mbox

Patch

diff --git a/NEWS b/NEWS
index ab0fb54..e068557 100644
--- a/NEWS
+++ b/NEWS
@@ -196,6 +196,13 @@  Security related changes:
 * The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
   to avoid fragmentation-based spoofing attacks.

+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+  mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+  called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+  (CVE-2010-3192).