Your message dated Fri, 27 Mar 2026 21:18:58 +0000
with message-id <[email protected]>
and subject line Bug#1131435: fixed in glibc 2.42-14
has caused the Debian Bug report #1131435,
regarding glibc: CVE-2026-4437
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131435
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glibc
Version: 2.42-13
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=34014
https://sourceware.org/bugzilla/show_bug.cgi?id=3401
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for glibc.
CVE-2026-4437[0]:
| Calling gethostbyaddr or gethostbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend in the GNU C
| Library version 2.34 to version 2.43 could, with a crafted response
| from the configured DNS server, result in a violation of the DNS
| specification that causes the application to treat a non-answer
| section of the DNS response as a valid answer.
CVE-2026-4438[1]:
| Calling gethostbyaddr or gethostbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend in the GNU C
| library version 2.34 to version 2.43 could result in an invalid DNS
| hostname being returned to the caller in violation of the DNS
| specification.
I made only one bug because the (original) patch[2] proposed upstream
covered both.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4437
https://www.cve.org/CVERecord?id=CVE-2026-4437
[1] https://security-tracker.debian.org/tracker/CVE-2026-4438
https://www.cve.org/CVERecord?id=CVE-2026-4438
[2]
https://inbox.sourceware.org/libc-alpha/[email protected]/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.42-14
Done: Aurelien Jarno <[email protected]>
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <[email protected]> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Mar 2026 22:08:16 +0100
Source: glibc
Architecture: source
Version: 2.42-14
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <[email protected]>
Changed-By: Aurelien Jarno <[email protected]>
Closes: 113887 1128631 1129746 1131435
Changes:
glibc (2.42-14) unstable; urgency=medium
.
[ Samuel Thibault ]
* debian/patches/hurd-i386/git-mach_send_eintr.diff: Fix assertion failure
on eintr during message send.
* debian/patches/hurd-i386/git-itimer-lock.diff: Fix setitimer mutex
inversion.
* debian/patches/hurd-i386/git-posix-timers.diff: Set _POSIX_TIMERS to
200809L. Closes: #1128631.
* debian/patches/hurd-i386/sig-alarm.diff: Fix it_interval in setitimer, thus
alarm too, on hurd-amd64.
* debian/patches/hurd-i386/git-libio-mtsafe.diff: Fix mt-safeness of libio.
* debian/patches/hurd-i386/git-cancel-sig.diff: Complete fix.
* debian/patches/hurd-i386/git-timedrwlock-unlock.diff: Fix race between
timedrd/wrlock and unlock.
* debian/patches/hurd-i386/git-sigtimedwait-timeout.diff: Fix cleaning on
sigtimedwait timing out.
* debian/testsuite-xfail-debian.mk: Update for 2.44.
.
[ Aurelien Jarno ]
* debian/sysdeps/mips*.mk: rename extra passes to matche the dpkg
architecture name.
* debian/rules.d/build.mk: add a makefile function that queries the dpkg
build flags for the current pass.
* debian/rules.d/build.mk: enable stack protection depending on
-fstack-protector* flags returned by dpkg-buildflags.
* debian/rules.d/build.mk: add a makefile function to filter out dpkg build
flags incompatible with glibc and define CFLAGS from dpkg build flags.
Closes: #1129746.
* debian/control.in/{libc,i386}: downgrade the libdpkg-dev break to the
trixie version now that bug#1122107 got fixed in trixie. Also apply it to
amd64 and x32, as they are also using symbol versions used as ABI flag.
Limit the break to libc6, multilib packages will get the break
transitively through the strict depends.
* debian/symbols.wildcards: adjust ABI flags version, we need to match the
first version where the flag got introduced, not the first version where
the fix got introduced.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix a null pointer dereference in the nss_database_check_reload_and_get
function.
- Fix invalid pointer arithmetic in ANSI_X3.110 iconv module
- Fix a typo preventing new tst-wordexp-reuse-mem to run
- Fix incorrect handling of DNS responses in gethostbyaddr and
gethostbyaddr_r (CVE-2026-4437). Closes: #1131435.
- Fix invalid DNS hostnames returned by gethostbyaddr and
gethostbyaddr_r (CVE-2026-4438). Closes: #113887.
Checksums-Sha1:
201cd708522f3efa36ffc9a5eaf8ce45c59948c4 8576 glibc_2.42-14.dsc
435bf948125353cd5bbfcf16b9697e9e58fbb1b5 433760 glibc_2.42-14.debian.tar.xz
3efa3fa699aca44bd9f78ea88a4d88c5518d0ccb 9572 glibc_2.42-14_source.buildinfo
Checksums-Sha256:
5a53b0b21a749cb8937c87b6dc57074d062dc0c1b42c57f4337fe7de3855721a 8576
glibc_2.42-14.dsc
f3cdcf45ccf89a022fe5d28fa98240b6371fda962b01a951c0f2bfe2ee1515e7 433760
glibc_2.42-14.debian.tar.xz
3572e837cfe21c53dd372598472c20e36eddbac38f4e61b8d93db34c3b030c02 9572
glibc_2.42-14_source.buildinfo
Files:
cb018a3510052d139912d95f51d2c306 8576 libs required glibc_2.42-14.dsc
2a280cc4006ab5e99f72a5ba9d09e298 433760 libs required
glibc_2.42-14.debian.tar.xz
049d3e449de385ce5495944db48b8421 9572 libs required
glibc_2.42-14_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmnG8hIACgkQE4jA+Jno
M2sN1Q//UTKNzhh/ptEfb5+GSgmY1mKGsJo5O0QZFL5/1rXli/+ixm4DU6NweIy1
1s9S4vSndjFp4qpbPkQ9nunf6MY9PW+YvriFkDQb+F9P2rxxtGUFDLDdRfn+fZe9
zDKzCspKOLfJ0oondQzaeI8b6ldgQZDatYZFRfYGhTLfeqAoE7IovxSzEezVAJCy
kM0Xt7fM/z+ZYJbDp83o1sKk6lujqwumH6VX8B3FyF/PuEWOoaVshoTT70lrAbnm
gR6YD+nLk7A2oisO+tfoQl2aqJD6o2sqZXeP7TX/JOT/pEmR8X1KQqaro+A04iFe
ppZKg6TLEpxdxy4TQAsDUAhZK22QC9gvG5DNY+uzkQM07PTgvE/IZnQ33cQsTnbF
nQWrh/kqy+acn4Ssr3UP5Fcz/MzXaFIgc+m06oVKWk/ig3tlqNpxNmzpJ1zbSsrO
QkIlYGQnN1ri6bKsUoD208KWuZ3M9aH74UxZzAnBcHskRktLTeiKAIcto/LoYuzO
zZ1lpuYdmWzu5+CABRA4kjAYY6HJmmEjzIR0e3v69mxhdHyh02HM7gl126H3i8YB
Vb/bjK8hjMU+1UBZ19O5XfS4KB+gSNbrCMzI26zWAfTuHFg4YTEnvSy39iUWwOA+
GTDBMYlS8TMupY9vefiAXEZc2QqMWR1JfvTXFXiXFRK7ZEAC6mM=
=MjZo
-----END PGP SIGNATURE-----
pgpTdUngXB6HC.pgp
Description: PGP signature
--- End Message ---
