From patchwork Mon Jul 31 12:13:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Siddhesh Poyarekar <siddhesh@gotplt.org>
X-Patchwork-Id: 21822
Received: (qmail 105416 invoked by alias); 31 Jul 2017 12:13:38 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 105252 invoked by uid 89); 31 Jul 2017 12:13:36 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=advertised,
	H*M:c6cf, sk:fragmen, escalation
X-HELO: homiemail-a69.g.dreamhost.com
Subject: Re: Updating NEWS for 2.26
To: Joseph Myers <joseph@codesourcery.com>, libc-alpha@sourceware.org
References: <alpine.DEB.2.20.1707031405010.28799@digraph.polyomino.org.uk>
	<alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk>
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
Message-ID: <a11ad975-c6cf-a183-8b94-ec9a0345ad0c@gotplt.org>
Date: Mon, 31 Jul 2017 17:43:30 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.1707301215090.7770@digraph.polyomino.org.uk>

On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
> 
>> The NEWS section for security-related changes in 2.26 seems very 
>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>> If people know of other significant changes missing from the main NEWS 
>> section for 2.26, they should add those as well.
> 
> Reminder: the security-related section is still almost empty.  This needs 
> to be fixed before the release.

This is what I've come up with based on bugzilla.  I'll commit this
before release if it looks OK.

Siddhesh


+
 The following bugs are resolved with this release:

   [The release manager will add the list generated by

diff --git a/NEWS b/NEWS
index ab0fb54..e068557 100644
--- a/NEWS
+++ b/NEWS
@@ -196,6 +196,13 @@ Security related changes:
 * The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
   to avoid fragmentation-based spoofing attacks.

+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+  mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+  called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+  (CVE-2010-3192).