On 2021-06-04 20:34, Florian Weimer wrote: > * Moritz Mühlenhoff: > > > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno: > >> control: forcemerge 967938 969926 > >> > >> Hi, > >> > >> On 2020-09-09 02:58, Bernd Zeimetz wrote: > >> > Source: glibc > >> > Version: 2.28-10 > >> > Severity: serious > >> > Tags: security upstream patch > >> > X-Debbugs-Cc: Debian Security Team <[email protected]> > >> > > >> > Hi, > >> > > >> > we are running into the bug > >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338 > >> > causing systemd-sysusers to segfault. > >> > > >> > Patch is available in the linked bug report. > >> > >> This has already been reported, Florian will work on a backport, as it > >> is not straightforward to backport it to buster due to the usage of > >> private symbols. > > > > Florian, did you manage to backport this to 2.31? It would be nice to get > > this > > fixed for a Buster point release still. > > Do you mean 2.28? DJ Delorie did the backport, and Carlos O'Donell > implemented the GLIBC_PRIVATE ABI compatibility fix. I'll see if I > can get the patches to apply to Debian's 2.28 tree.
Is it possible to commit those patches to the upstream 2.28 branch? If so, I guess we can simply pull the branch in the Debian package, fixing many other security bugs at the same time. -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://www.aurel32.net
