Your message dated Sat, 28 Mar 2026 00:15:12 +0100
with message-id <[email protected]>
and subject line Re: Bug#1131435: glibc: CVE-2026-4437 CVE-2026-4438
has caused the Debian Bug report #1131887,
regarding glibc: CVE-2026-4438
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131887
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glibc
Version: 2.42-13
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=34014
https://sourceware.org/bugzilla/show_bug.cgi?id=3401
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for glibc.
CVE-2026-4437[0]:
| Calling gethostbyaddr or gethostbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend in the GNU C
| Library version 2.34 to version 2.43 could, with a crafted response
| from the configured DNS server, result in a violation of the DNS
| specification that causes the application to treat a non-answer
| section of the DNS response as a valid answer.
CVE-2026-4438[1]:
| Calling gethostbyaddr or gethostbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend in the GNU C
| library version 2.34 to version 2.43 could result in an invalid DNS
| hostname being returned to the caller in violation of the DNS
| specification.
I made only one bug because the (original) patch[2] proposed upstream
covered both.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4437
https://www.cve.org/CVERecord?id=CVE-2026-4437
[1] https://security-tracker.debian.org/tracker/CVE-2026-4438
https://www.cve.org/CVERecord?id=CVE-2026-4438
[2]
https://inbox.sourceware.org/libc-alpha/[email protected]/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: glibc/2.42-14
On 2026-03-25 21:58, Aurelien Jarno wrote:
> control: clone -1 -2
> control: retitle -1 glibc: CVE-2026-4437
> control: retitle -2 glibc: CVE-2026-4438
>
> Hi,
>
> On 2026-03-21 12:41, Salvatore Bonaccorso wrote:
> > Source: glibc
> > Version: 2.42-13
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=34014
> > https://sourceware.org/bugzilla/show_bug.cgi?id=3401
> > X-Debbugs-Cc: [email protected], Debian Security Team
> > <[email protected]>
> >
> > Hi,
> >
> > The following vulnerabilities were published for glibc.
> >
> > CVE-2026-4437[0]:
> > | Calling gethostbyaddr or gethostbyaddr_r with a configured
> > | nsswitch.conf that specifies the library's DNS backend in the GNU C
> > | Library version 2.34 to version 2.43 could, with a crafted response
> > | from the configured DNS server, result in a violation of the DNS
> > | specification that causes the application to treat a non-answer
> > | section of the DNS response as a valid answer.
> >
> >
> > CVE-2026-4438[1]:
> > | Calling gethostbyaddr or gethostbyaddr_r with a configured
> > | nsswitch.conf that specifies the library's DNS backend in the GNU C
> > | library version 2.34 to version 2.43 could result in an invalid DNS
> > | hostname being returned to the caller in violation of the DNS
> > | specification.
> >
> > I made only one bug because the (original) patch[2] proposed upstream
> > covered both.
>
> At the end the patch got split in to parts, and currently only
> CVE-2026-4437 is fixed. Cloning the bug.
And then I typoed the bug number in the changelog, so closing the bug
manually.
The bug number is fixed in git, so the next upload will have a fixed
changelog.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://aurel32.net
--- End Message ---
