Re: [ELDK] glibc getaddrinfo() bug (CVE-2015-7547)

Fri, 19 Feb 2016 10:28:59 -0800 

Dear Wolfgang:

Am 19.02.16 08:44 schrieb(en) Wolfgang Denk:

Yes, CVE-2015-7547 is serious enough to be fixed in a v5.8.1 bugfix release.


Great, that's good news indeed!


Plain v5.8 ist based on Yocto 1.8.1, which does not contain the fix yet: Yocto 
1.8.1 was released on Nov 6, 2015, while the CVE-2015-7547 fix was only added 
on Feb 17 (plus a number of other glibc fixes [for CVE-2015-8776, 
CVE-2015-9761, CVE-2015-8779, CVE-2015-8777] on Jan 22); a number of other 
components have also been fixed since (CVE-2015-7511, CVE-2016-2090, 
CVE-2016-2198, CVE-2016-2197, CVE-2016-1568, CVE-2016-0754, CVE-2016-0755, 
CVE-2016-0701, CVE-2015-3197, CVE-2015-0860, CVE-2015-8704, 
CVE-2015-8705,CVE-2016-1907, CVE-2015-1283, CVE-2015-8370, CVE-2014-9496, 
CVE-2014-9756, CVE-2015-7805, CVE-2015-8380, CVE-2015-8395, CVE-2015-8126, 
CVE-2015-7236, CVE-2015-3187, CVE-2015-7942, CVE-2015-8035, ...).

So yes, there is reason for some updates...


I fully agree with you...  Being paranoid is essential these days.


However, due to the upcoming Embedded World trade show in Nuremberg next week 
wewill not be able to provide such an update as quickly as we'd like to. If you 
need the fixes faster, please feel free to go ahead and cherrypick/backport the 
related patches from Youcto mainline yourself.


I don't think it's *that* urgent for me.  Not sure how other users think about 
it, but I guess having your statement that a patched version will be available 
in the near future is really all we need.  And I think this should be the time 
to send you a huge THANK YOU for your efforts and for providing this great 
package as Free Software since so many years!


If you post the patches here I promise to pick these up ASAP and roll them into 
v5.8.1.

Thanks for bringing this up, and thanks in advance for any potential patches :-)


Unfortunately, I don't have the time to go to Nürnberg, but maybe I'll find 
some time to look into it...

Cheers,
Albrecht.


Attachment:
pgphzdU88oLVN.pgp

Description: PGP signature


_______________________________________________
eldk mailing list
[email protected]
http://lists.denx.de/mailman/listinfo/eldk






















					Reply via email to